Obfuscated AutoIt Malware Injects Executables to Steal Passwords and Browser Data | Grouped Behavior
Try VMRay Analyzer
Involved Hosts

Hostname IP Addresses Country City Protocols Has Blacklisted URL
jluxi.dynu.com 185.62.188.68 NL DNS, TCP False
Monitored Processes
Behavior Information - Grouped by Category
Process #1: 9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe
(Host: 4170, Network: 0)
+
Information Value
ID #1
File Name c:\users\eebsym5\desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe
Command Line "C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe"
Initial Working Directory C:\Users\EEBsYm5\Desktop\
Monitor Start Time: 00:00:10, Reason: Analysis Target
Unmonitor End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration 00:02:01
OS Process Information
+
Information Value
PID 0xa00
Parent PID 0x658 (c:\windows\explorer.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Groups
  • CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000ebee (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A04
0x A0C
0x A14
0x A18
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True True False
private_0x0000000000030000 0x00030000 0x0012ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000130000 0x00130000 0x00133fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000140000 0x00140000 0x00142fff Pagefile Backed Memory Readable True False False
private_0x0000000000150000 0x00150000 0x00150fff Private Memory Readable, Writable True True False
pagefile_0x0000000000160000 0x00160000 0x00166fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000170000 0x00170000 0x00171fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000180000 0x00180000 0x00181fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000190000 0x00190000 0x001affff Private Memory Readable, Writable True True False
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory Readable, Writable True True False
locale.nls 0x002b0000 0x00316fff Memory Mapped File Readable False False False
pagefile_0x0000000000320000 0x00320000 0x003e7fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000003f0000 0x003f0000 0x003f0fff Pagefile Backed Memory Readable True False False
9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe 0x00400000 0x00432fff Memory Mapped File Readable, Writable, Executable True True False
pagefile_0x0000000000440000 0x00440000 0x00540fff Pagefile Backed Memory Readable True False False
rpcss.dll 0x00550000 0x005abfff Memory Mapped File Readable False False False
rpcss.dll 0x00550000 0x005abfff Memory Mapped File Readable False False False
private_0x0000000000550000 0x00550000 0x005fffff Private Memory Readable, Writable True True False
pagefile_0x0000000000550000 0x00550000 0x00550fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000560000 0x00560000 0x00561fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000570000 0x00570000 0x00571fff Pagefile Backed Memory Readable True False False
msctf.dll.mui 0x00570000 0x00570fff Memory Mapped File Readable, Writable False False False
pagefile_0x0000000000580000 0x00580000 0x00581fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000580000 0x00580000 0x00580fff Pagefile Backed Memory Readable, Writable True False False
cversions.1.db 0x00590000 0x00593fff Memory Mapped File Readable True False False
cversions.2.db 0x00590000 0x00593fff Memory Mapped File Readable True False False
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000013.db 0x005a0000 0x005b4fff Memory Mapped File Readable True False False
private_0x00000000005c0000 0x005c0000 0x005fffff Private Memory Readable, Writable True True False
private_0x0000000000600000 0x00600000 0x0060ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000610000 0x00610000 0x0120ffff Pagefile Backed Memory Readable True False False
pagefile_0x0000000001210000 0x01210000 0x012eefff Pagefile Backed Memory Readable True False False
sortdefault.nls 0x012f0000 0x015befff Memory Mapped File Readable False False False
private_0x00000000015c0000 0x015c0000 0x0163ffff Private Memory Readable, Writable True True False
pagefile_0x00000000015c0000 0x015c0000 0x015c0fff Pagefile Backed Memory Readable, Writable True False False
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000009.db 0x015d0000 0x015fffff Memory Mapped File Readable True False False
private_0x0000000001600000 0x01600000 0x0163ffff Private Memory Readable, Writable True True False
pagefile_0x0000000001640000 0x01640000 0x01a32fff Pagefile Backed Memory Readable True False False
private_0x0000000001a40000 0x01a40000 0x01abffff Private Memory Readable, Writable True True False
private_0x0000000001ac0000 0x01ac0000 0x01bc0fff Private Memory Readable, Writable True True False
staticcache.dat 0x01ac0000 0x023effff Memory Mapped File Readable False False False
private_0x00000000023f0000 0x023f0000 0x024f0fff Private Memory Readable, Writable True True False
private_0x00000000023f0000 0x023f0000 0x027f0fff Private Memory Readable, Writable True True False
private_0x00000000023f0000 0x023f0000 0x027f0fff Private Memory Readable, Writable True True False
cversions.2.db 0x023f0000 0x023f3fff Memory Mapped File Readable True False False
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db 0x02400000 0x02465fff Memory Mapped File Readable True False False
private_0x0000000002470000 0x02470000 0x0256ffff Private Memory Readable, Writable True True False
private_0x0000000002570000 0x02570000 0x0266ffff Private Memory Readable, Writable True True False
pagefile_0x0000000002670000 0x02670000 0x02670fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000002680000 0x02680000 0x0277ffff Private Memory Readable, Writable True True False
private_0x0000000002800000 0x02800000 0x02900fff Private Memory Readable, Writable True True False
riched20.dll 0x6d740000 0x6d7b5fff Memory Mapped File Readable, Writable, Executable False False False
tiptsf.dll 0x6e5a0000 0x6e5f7fff Memory Mapped File Readable, Writable, Executable False False False
shdocvw.dll 0x6ec20000 0x6ec4dfff Memory Mapped File Readable, Writable, Executable False False False
apphelp.dll 0x70f80000 0x70fcbfff Memory Mapped File Readable, Writable, Executable False False False
riched32.dll 0x72980000 0x72985fff Memory Mapped File Readable, Writable, Executable False False False
dwmapi.dll 0x73a70000 0x73a82fff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x73dc0000 0x73dfffff Memory Mapped File Readable, Writable, Executable False False False
ntmarta.dll 0x73e40000 0x73e60fff Memory Mapped File Readable, Writable, Executable False False False
propsys.dll 0x73ed0000 0x73fc4fff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x740c0000 0x7425dfff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x75070000 0x7508afff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x75090000 0x7509bfff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x75110000 0x7511afff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x75180000 0x7518bfff Memory Mapped File Readable, Writable, Executable False False False
cfgmgr32.dll 0x75190000 0x751b6fff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x751c0000 0x752dcfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x752e0000 0x75329fff Memory Mapped File Readable, Writable, Executable False False False
devobj.dll 0x75360000 0x75371fff Memory Mapped File Readable, Writable, Executable False False False
urlmon.dll 0x75410000 0x75545fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x75550000 0x7559dfff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x755a0000 0x75668fff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x756b0000 0x75706fff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x75710000 0x7572efff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x75730000 0x757fbfff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x75810000 0x7589efff Memory Mapped File Readable, Writable, Executable False False False
clbcatq.dll 0x758a0000 0x75922fff Memory Mapped File Readable, Writable, Executable False False False
wldap32.dll 0x75930000 0x75974fff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x75980000 0x765c9fff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x765e0000 0x7667cfff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x76680000 0x767dbfff Memory Mapped File Readable, Writable, Executable False False False
wininet.dll 0x76840000 0x76934fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x76940000 0x769dffff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x769e0000 0x76ab3fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x76ac0000 0x76b60fff Memory Mapped File Readable, Writable, Executable False False False
setupapi.dll 0x76b70000 0x76d0cfff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x76d10000 0x76dbbfff Memory Mapped File Readable, Writable, Executable False False False
iertutil.dll 0x76dc0000 0x76fbafff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x76fc0000 0x770fbfff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x77110000 0x77128fff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x77160000 0x77169fff Memory Mapped File Readable, Writable, Executable False False False
comdlg32.dll 0x77170000 0x771eafff Memory Mapped File Readable, Writable, Executable False False False
apisetschema.dll 0x77200000 0x77200fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory Readable, Writable True True False
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory Readable, Writable True True False
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory Readable, Writable True True False
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True True False
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True True False
Created Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\eebsym5\appdata\local\temp\60484525\__tmp_rar_sfx_access_check_18052931 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\eebsym5\appdata\local\temp\60484525\hin.ppt 753.11 KB (771181 bytes) MD5: b4069d0c0e00f8266018f1263d28314a
SHA1: da9e1711e225aa694f28ac81677f0a8840acbd56
SHA256: 017a11f2c47b3329116d74da098437fef15a0283fd7df5b5cf16e167a74bf4bf
False
c:\users\eebsym5\appdata\local\temp\60484525\cvn-nhc 2.88 MB (3022508 bytes) MD5: de1a6fbf02c16cacd54d414ed4e6f73e
SHA1: 645a49fb10d04c18348e6614c3640cb2d732d7e2
SHA256: f0b7de110217d22b745eb45ad6c808974c667bb77dabdf824c7a439bb254d49d
False
c:\users\eebsym5\appdata\local\temp\60484525\cih.exe 732.73 KB (750320 bytes) MD5: 71d8f6d5dc35517275bc38ebcc815f9f
SHA1: cae4e8c730de5a01d30aabeb3e5cb2136090ed8d
SHA256: fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b
False
c:\users\eebsym5\appdata\local\temp\60484525\jdl.jpg 0.58 KB (593 bytes) MD5: 4cf50661adbe97e9144a1ae14e0cc2d4
SHA1: 6cfecd4625e5cac62f73cd766c0695545615a80e
SHA256: 01da59d2d9a62cc31d8a28f02e58762f775783d072dc92cd4882472991c6c489
False
c:\users\eebsym5\appdata\local\temp\60484525\vqm.xl 0.51 KB (525 bytes) MD5: 39f5c28a7805e6993c878e2445b6de4f
SHA1: b1a4702db810d76ca9dab4a40b464161447a8485
SHA256: 2fb689a6de68f133a7baab6c6f6458fae38c6dae4d90f62da2b90641a048fc2a
False
c:\users\eebsym5\appdata\local\temp\60484525\bcu.mp4 0.51 KB (521 bytes) MD5: e800b240b278b15f7e04a9aa5aad5a94
SHA1: 5c57cfd08c138ecb8aaf08638ff708ed0fc11e9c
SHA256: d4c33eed67247dbddc3dcd7400bd24fd7209a597f468978f014568c2ee0a7fd1
False
c:\users\eebsym5\appdata\local\temp\60484525\rnr.mp3 0.54 KB (556 bytes) MD5: a1c50816b65f30e2260479114d0bcab6
SHA1: 74c73a920cbd9ef1057d4d8d7589363d14e4a55b
SHA256: c18f5a54575e9b56f95bbeb353318cba41fefbadc7f101589d5fc0df3fd56141
False
c:\users\eebsym5\appdata\local\temp\60484525\cvg.mp4 0.49 KB (505 bytes) MD5: da230cfbc8a80e350c87d894eebb76b9
SHA1: ea6d7ae1dc826a9344c00a01d47e92ee60bd6d61
SHA256: bdfc89fb5460d262442882b76f31f9853370abd79e86be034afb53e2be694118
False
c:\users\eebsym5\appdata\local\temp\60484525\chm.docx 0.60 KB (614 bytes) MD5: 84d55a12fc2416df5c1553ee17ad0992
SHA1: b402fc11ff5ef3552be26235e9fd016c7fe912b2
SHA256: 918778adbeba224f4b9dd8910b717cf706563c35e06fbe0d04dfb00ced8678ee
False
c:\users\eebsym5\appdata\local\temp\60484525\vua.jpg 0.50 KB (509 bytes) MD5: 6dd73a9654139bb6529a72207ddfde0f
SHA1: bd67f636d12ed1c4cff28f6a9a84e28b97d7f1a5
SHA256: 42220eec08a393cd359ec79cb610d2a845926b8d8119eb505276564aa25698c9
False
c:\users\eebsym5\appdata\local\temp\60484525\oxl.ico 0.51 KB (520 bytes) MD5: 22c528e901375639d3a014f6fe12ed43
SHA1: 74f6a3c188759980c3e7dc9de94642f86a18fb59
SHA256: 1af85ae13aa9aa6114ec4c03cfd840fb8222eeceb611aac530411979bd9bede9
False
c:\users\eebsym5\appdata\local\temp\60484525\fun.mp4 0.62 KB (633 bytes) MD5: 41db425bddeb6edff3829ede53e4b059
SHA1: 8355713e8ff5b27cc72f2a784d597be7d02e3c26
SHA256: 668dff85c71ac5142e3105426be365b7834e1dd8e3e0043674a272af26138f35
False
c:\users\eebsym5\appdata\local\temp\60484525\fqv.xl 0.55 KB (567 bytes) MD5: 2a8d81d0726edc11e6e4f75207fee58c
SHA1: 041b9554b7a23b86240e82c0c18e0c34cfdd4ae1
SHA256: bc2d0c9ff398b2883465e9c5963d0a8933b034ae43f6002481f674b5ade6c839
False
c:\users\eebsym5\appdata\local\temp\60484525\hgu.ico 0.56 KB (569 bytes) MD5: e9a2566e0a5296cf122c7089e0558baf
SHA1: e7d3001b6b6ebf6928e942f4c8343f4f551e0284
SHA256: 418946d3f5ab5a04d537045108c4e8db6dcb48bb465e2d0a01f91723b7948e49
False
c:\users\eebsym5\appdata\local\temp\60484525\brh.ppt 0.58 KB (597 bytes) MD5: fda5e079dbe06cc05c59ba4e27fa48c2
SHA1: 88181205ec8323e457d5bcd4e7a03cea28ad47c7
SHA256: 75cfe292e1d9d6bd3bdadfe1ce6bef7a57bfc2a6bb7ce6fecd497bf4ec583c37
False
c:\users\eebsym5\appdata\local\temp\60484525\xqa.mp4 0.54 KB (551 bytes) MD5: d46dd879f8205faa467df9c9a0019a9d
SHA1: 25631b0a07e69d1dc8e93e5e51946a27f98d2b17
SHA256: aa93b72e74034ed72878672e776fbe7fa55e93f78e485a337cbeae4bd18f4917
False
c:\users\eebsym5\appdata\local\temp\60484525\jub.bmp 0.56 KB (574 bytes) MD5: 81932b74d719d9feaee98fd12634ac5b
SHA1: a7283637bc88dacb689b39cebfc28a91e32f1e03
SHA256: 1c9ccc3a409e293eadbb70410de3c3405da55ceb47d36a639054b6f5c10a3c91
False
c:\users\eebsym5\appdata\local\temp\60484525\jgu.bmp 0.52 KB (532 bytes) MD5: 2a84b8aefabec88301c0f50f7cfb46f6
SHA1: e4b2c15448b6dace8cfa8227784b3f9396a2f498
SHA256: ef754e4a3efc638823684023ef2ddbbcdaf1354c290e4c33ef394df4c2a8d2ca
False
c:\users\eebsym5\appdata\local\temp\60484525\tik.icm 0.54 KB (550 bytes) MD5: 74efb6a98e74a829daafef9945004dca
SHA1: c5102cd3b0d7602f51099a27657b37a3bf787561
SHA256: bf1ab35f7bd5d5fc365d2c176bb5c5374e578b8424ed0fde82f55d1eae1d350d
False
c:\users\eebsym5\appdata\local\temp\60484525\wjv.pdf 0.53 KB (539 bytes) MD5: 1474405a725bc37f9fea9479c11a78bf
SHA1: b57f9f373b5323f3b701bf350fd98cf8a827b3ff
SHA256: d83ec42f0ff63cf14851f789e85f2dc33d76cb4c2409e1488f7474df2086033f
False
c:\users\eebsym5\appdata\local\temp\60484525\nvl.xl 0.51 KB (526 bytes) MD5: 90ca387ad342c41ae796173d560ccf84
SHA1: eb03b500bbf683a889c4758d228b55cedddd4c30
SHA256: 0ecf3eb5d0f794e7e32a941580da8641bff3bf248a68df43a35ae16d77eda192
False
c:\users\eebsym5\appdata\local\temp\60484525\xfg.dat 0.51 KB (520 bytes) MD5: c82da2a4e862c90a2d961098b1d64956
SHA1: 7edf516e6c807d8fa5aa912e23d9460721769207
SHA256: db7f2a223fef17affd13a518ac21c7675942bd475bc416dd78c7c6c186548b64
False
c:\users\eebsym5\appdata\local\temp\60484525\aqa.bmp 0.54 KB (557 bytes) MD5: f8b9deca33aba33d64623f47e7c88855
SHA1: a70b7a6327133486d04d4d3c57bd8930a3e3a698
SHA256: 449952af1c2bd2a2e1878b3a81044793305185a7d27f0066521645906a5040c7
False
c:\users\eebsym5\appdata\local\temp\60484525\rnj.mp3 0.53 KB (547 bytes) MD5: 6effc77853a885dd155870e04545880b
SHA1: 98ebfdb5b3ef2c2db538a290a0a26bc6cf885916
SHA256: 89b82044c02980606c7d6b39aa2cf08b66ca0db7e1b5ad23a7c0d64e056340d2
False
c:\users\eebsym5\appdata\local\temp\60484525\eff.icm 0.51 KB (522 bytes) MD5: c2f588f89c85d3c2c97e128f27234f2c
SHA1: b2b64e8b77e831f3a16fdd1da61f8f64f514b19e
SHA256: 1e8e0cc104f8c880f3a6d312f6bdc99c5f3f4fd3ee081eee7e2534ed511209fd
False
c:\users\eebsym5\appdata\local\temp\60484525\isi.xl 0.50 KB (507 bytes) MD5: 469067bf5a94e9002cf154a81f397c6a
SHA1: 737b86b50e3998052920f02bde3ad487743f1a6a
SHA256: 6b418ce9673895fb76b32b67faf05073e577444d82bf42ff21733e1f057c3d60
False
c:\users\eebsym5\appdata\local\temp\60484525\upe.mp3 0.56 KB (578 bytes) MD5: 62bd082578b0e38bc2b6b731b4a5ec49
SHA1: 3f6c8024888bf3caa19e6ad7db4a8f29859bdaa9
SHA256: 00a79f22f8ed82f6ea362254d04578bfa498dfed0d2ab8f733e6fbace1c2c078
False
c:\users\eebsym5\appdata\local\temp\60484525\fpo.xl 0.57 KB (581 bytes) MD5: ff594e995d9f6268a047cc2e269eb2b9
SHA1: a0a8692e4560d122d0dd359157544b32fdc57cd0
SHA256: 6cc6a2d2a8196b938e5e332df30d025374d6c98a18c5e707021141966203d7e1
False
c:\users\eebsym5\appdata\local\temp\60484525\wlk.pdf 0.52 KB (536 bytes) MD5: 747d40f9300dbb3ba36d7310b5ee40da
SHA1: 90d715455eb32004107a92bf810df71371ed4047
SHA256: cef051d14bcbc14e12f9d130f71e8b285b37117cd20c23678419b9ab8659300d
False
c:\users\eebsym5\appdata\local\temp\60484525\nlb.pdf 0.53 KB (541 bytes) MD5: a49efa6c9f872faad2232a4b6a2394a7
SHA1: c8dff7972de40ab025314a8c74b5bb8e1552170e
SHA256: 97b1b6f6884f0f92342576a9667c5cb3c1b61fabc8a0b1b23d1f57582b0624d3
False
c:\users\eebsym5\appdata\local\temp\60484525\emv.bmp 0.50 KB (511 bytes) MD5: 04f1e686525064abfdb4bfd7ff29a0b5
SHA1: 47748ea5978245b49c8136d9e147059afeb06ffe
SHA256: 8e3de8ce80c00091cb1aaa93f590226c7ac53a509926cdd815301237dd8e9e1b
False
c:\users\eebsym5\appdata\local\temp\60484525\raq.jpg 0.50 KB (514 bytes) MD5: e5d188010c3203e2d37d4225d6cae53b
SHA1: 430d4c308efdb225a74e10d3facefa8e44252be1
SHA256: 93846c06cef1c5515a1f78e95c040be5c75d3b6c78bf6438cf12fd7345d3c1c8
False
c:\users\eebsym5\appdata\local\temp\60484525\nep.mp4 0.58 KB (589 bytes) MD5: 498138dfbfbe52214e73e9c1141aa981
SHA1: bc7166b6abe72bb216d77d48185330668186bb88
SHA256: b1b69fb21d93d6bae3fbcf8338aa66ee2791362ec5f918bd9dc45c1c14d4749c
False
c:\users\eebsym5\appdata\local\temp\60484525\neo.ico 0.54 KB (551 bytes) MD5: a128399da3f11bda3f2164a97cb2b531
SHA1: 0d00f9e17e6445805ef34c8fdb68fe8e38ab4868
SHA256: dcf09d4181263a2a3b0787085f7b8dc8913245c0d6ac535e16f8a77ba17ecc91
False
c:\users\eebsym5\appdata\local\temp\60484525\wxv.mp4 0.51 KB (526 bytes) MD5: 924bdfca849290fd510d72a39da75d43
SHA1: b5c18c00e3596b8a87d068f67e59f46aba6509da
SHA256: b32f0a65698effe8c62e482bf9b6aec6f5fd496d52da525dca2078988956d3d9
False
c:\users\eebsym5\appdata\local\temp\60484525\beb.ppt 0.52 KB (530 bytes) MD5: afcc6587b4839826588ae54512851ef8
SHA1: e55525356075eba71766e12d7db9d67ef4cdd8cc
SHA256: 5fdfa5c8afbda02553bbf95969ca4434c57456b4e51a56330fddd770d9f84277
False
c:\users\eebsym5\appdata\local\temp\60484525\als.txt 0.50 KB (512 bytes) MD5: a81eeaae706a9e8ab123d3ed140d837e
SHA1: 3f0feac929dd6f1f5776298da84a14298f12cb10
SHA256: 169b9a0889e98c8e239c472e3041fccb2433c668f269782b28c74648c5135ba7
False
c:\users\eebsym5\appdata\local\temp\60484525\jkg.txt 0.57 KB (588 bytes) MD5: 0f7278aeb0c194405013a9963334e38c
SHA1: 2b7dab89793af056f56e84b9a1040c2c3e01f5a9
SHA256: 0c9293277fd0325971a2cf297d88460ad8df83d40f09f947fb36a50c59ad9c31
False
c:\users\eebsym5\appdata\local\temp\60484525\idv.xl 0.54 KB (550 bytes) MD5: 307fe5bd3f52c0aefb503401e2b08505
SHA1: 67ef51104877c6e6ca67e868b2a5d589e415a255
SHA256: 79bb5d0d7e6e403335b863935f832da481a550f7174e77f56a112d5a1f7bff8f
False
c:\users\eebsym5\appdata\local\temp\60484525\erk.ico 0.56 KB (576 bytes) MD5: 0a5b38cbc77ff6bfd9ca434eb372e88e
SHA1: a093894e555294518d98937f61e1eac26298539b
SHA256: a3cc42516891627a6ff9dcc5dcca3a4deaefbbf2f9a5411a644a34242b57f6f7
False
c:\users\eebsym5\appdata\local\temp\60484525\jfo.dat 0.54 KB (556 bytes) MD5: faf4d8efca05d9b305d0970a8417274c
SHA1: 847aff73ea3889518231b2a8e5aa2befd843f48b
SHA256: 4f081e6dfab65d9c1910303f41fafac0e3652e2af3713140d8cc30d79aed912e
False
c:\users\eebsym5\appdata\local\temp\60484525\pac.ppt 0.55 KB (564 bytes) MD5: bc062df0b1cf65138efbd74028d417ee
SHA1: 4e3254580fc0eea7fcd2daa270b5e94e7fca7560
SHA256: b007b3703bec0526df06de06a88e97f706f09554ac2eb930cad38a80a3c663f7
False
c:\users\eebsym5\appdata\local\temp\60484525\okk.pdf 0.53 KB (538 bytes) MD5: 7c65637227835e997638cdbbdda237db
SHA1: ddd80c708a202210df0c6bab2d53fad31510c77a
SHA256: 26f1259b8d53d6b4a43da7ebf431f4aff6617bbad13a188e9b4f534e21fd94b5
False
c:\users\eebsym5\appdata\local\temp\60484525\dxj.docx 0.64 KB (651 bytes) MD5: 1690024ca4904bc8664deb3b5c046a09
SHA1: d78d488168c4a91dfb4883107bb0b344e47f6103
SHA256: dc2a1291b72a6b56d6acf1a4d52278ff82a9ac18d20f650d7bf1c1527a0675d1
False
c:\users\eebsym5\appdata\local\temp\60484525\tob.ico 0.56 KB (575 bytes) MD5: 5d4a58ea600887506e113f87226108a7
SHA1: 6fd6c6d7b08df98858f8cd8bab2a8ddbaef39b78
SHA256: f6b0188a75c7fa2bcc06eb7d5de15a84facab9b2e2cc8d54aa7708833888d49b
False
c:\users\eebsym5\appdata\local\temp\60484525\guv.xl 0.54 KB (550 bytes) MD5: df21088736f29414e1aeacbea6dd4adb
SHA1: 2444bd270127ae12148eaf048fe82021f5580952
SHA256: 0bb6caa082e474fd47bdb620aa88536820e95f84cef92dcbda4fb686f29b3c3a
False
c:\users\eebsym5\appdata\local\temp\60484525\hjd.mp4 0.53 KB (543 bytes) MD5: ce4596068d05d9436fa2512cfe90a81a
SHA1: 4e209aede4adcee82bb4a8008291069a3a558f5c
SHA256: 54f750492edac60c64348bf5131e7ec5c2e60aa796d80194b673b9e632c9c9cd
False
c:\users\eebsym5\appdata\local\temp\60484525\ain.icm 0.52 KB (532 bytes) MD5: d997ac87e2adca0fe86fb0ba4a628299
SHA1: 14cae556c130ac9c5fa65168e9680893a4c73899
SHA256: c4a221aabd4c8dbc1ba62bd28e79af98b2e7a2c5d624c5f5c889352499bb47af
False
c:\users\eebsym5\appdata\local\temp\60484525\ugv.icm 0.54 KB (549 bytes) MD5: a8ca3dd1e20cbeba4c51df819b7bb68e
SHA1: 36d2b3b494d42d9958553cad17fa04819dfa2883
SHA256: d7820ee70bff4ff3f6922ab56d97c88aa79eb8591311d3a6c58b33c1c289d14a
False
Host Behavior
File (2166)
+
Operation Filename Additional Information Success Count Logfile
Create C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create __tmp_rar_sfx_access_check_18052931 desired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe desired_access = GENERIC_READ, file_attributes = FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create hin.ppt desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create cvn-nhc desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create cih.exe desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create jdl.jpg desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create vqm.xl desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create bcu.mp4 desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create rnr.mp3 desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create cvg.mp4 desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create chm.docx desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create vua.jpg desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create oxl.ico desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create fun.mp4 desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create fqv.xl desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create hgu.ico desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create brh.ppt desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create xqa.mp4 desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create jub.bmp desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create jgu.bmp desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create tik.icm desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create wjv.pdf desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create nvl.xl desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create xfg.dat desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create aqa.bmp desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create rnj.mp3 desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create eff.icm desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create isi.xl desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create upe.mp3 desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create fpo.xl desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create wlk.pdf desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create nlb.pdf desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create emv.bmp desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create raq.jpg desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create nep.mp4 desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create neo.ico desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create wxv.mp4 desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create beb.ppt desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create als.txt desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create jkg.txt desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create idv.xl desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create erk.ico desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create jfo.dat desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create pac.ppt desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create okk.pdf desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create dxj.docx desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create tob.ico desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create guv.xl desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create hjd.mp4 desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create ain.icm desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create ugv.icm desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Create Directory C: False 1
Fn
Create Directory C:\Users False 1
Fn
Create Directory C:\Users\EEBsYm5 False 1
Fn
Create Directory C:\Users\EEBsYm5\AppData False 1
Fn
Create Directory C:\Users\EEBsYm5\AppData\Local False 1
Fn
Create Directory C:\Users\EEBsYm5\AppData\Local\Temp False 1
Fn
Create Directory C:\Users\EEBsYm5\AppData\Local\Temp\60484525 True 1
Fn
Add Search Path True 1
Fn
Get Info hin.ppt type = file_attributes False 1
Fn
Get Info hin.ppt type = file_type True 1
Fn
Get Info cvn-nhc type = file_attributes False 1
Fn
Get Info cvn-nhc type = file_type True 1
Fn
Get Info cih.exe type = file_attributes False 1
Fn
Get Info cih.exe type = file_type True 1
Fn
Get Info jdl.jpg type = file_attributes False 1
Fn
Get Info jdl.jpg type = file_type True 1
Fn
Get Info vqm.xl type = file_attributes False 1
Fn
Get Info vqm.xl type = file_type True 1
Fn
Get Info bcu.mp4 type = file_attributes False 1
Fn
Get Info bcu.mp4 type = file_type True 1
Fn
Get Info rnr.mp3 type = file_attributes False 1
Fn
Get Info rnr.mp3 type = file_type True 1
Fn
Get Info cvg.mp4 type = file_attributes False 1
Fn
Get Info cvg.mp4 type = file_type True 1
Fn
Get Info chm.docx type = file_attributes False 1
Fn
Get Info chm.docx type = file_type True 1
Fn
Get Info vua.jpg type = file_attributes False 1
Fn
Get Info vua.jpg type = file_type True 1
Fn
Get Info oxl.ico type = file_attributes False 1
Fn
Get Info oxl.ico type = file_type True 1
Fn
Get Info fun.mp4 type = file_attributes False 1
Fn
Get Info fun.mp4 type = file_type True 1
Fn
Get Info fqv.xl type = file_attributes False 1
Fn
Get Info fqv.xl type = file_type True 1
Fn
Get Info hgu.ico type = file_attributes False 1
Fn
Get Info hgu.ico type = file_type True 1
Fn
Get Info brh.ppt type = file_attributes False 1
Fn
Get Info brh.ppt type = file_type True 1
Fn
Get Info xqa.mp4 type = file_attributes False 1
Fn
Get Info xqa.mp4 type = file_type True 1
Fn
Get Info jub.bmp type = file_attributes False 1
Fn
Get Info jub.bmp type = file_type True 1
Fn
Get Info jgu.bmp type = file_attributes False 1
Fn
Get Info jgu.bmp type = file_type True 1
Fn
Get Info tik.icm type = file_attributes False 1
Fn
Get Info tik.icm type = file_type True 1
Fn
Get Info wjv.pdf type = file_attributes False 1
Fn
Get Info wjv.pdf type = file_type True 1
Fn
Get Info nvl.xl type = file_attributes False 1
Fn
Get Info nvl.xl type = file_type True 1
Fn
Get Info xfg.dat type = file_attributes False 1
Fn
Get Info xfg.dat type = file_type True 1
Fn
Get Info aqa.bmp type = file_attributes False 1
Fn
Get Info aqa.bmp type = file_type True 1
Fn
Get Info rnj.mp3 type = file_attributes False 1
Fn
Get Info rnj.mp3 type = file_type True 1
Fn
Get Info eff.icm type = file_attributes False 1
Fn
Get Info eff.icm type = file_type True 1
Fn
Get Info isi.xl type = file_attributes False 1
Fn
Get Info isi.xl type = file_type True 1
Fn
Get Info upe.mp3 type = file_attributes False 1
Fn
Get Info upe.mp3 type = file_type True 1
Fn
Get Info fpo.xl type = file_attributes False 1
Fn
Get Info fpo.xl type = file_type True 1
Fn
Get Info wlk.pdf type = file_attributes False 1
Fn
Get Info wlk.pdf type = file_type True 1
Fn
Get Info nlb.pdf type = file_attributes False 1
Fn
Get Info nlb.pdf type = file_type True 1
Fn
Get Info emv.bmp type = file_attributes False 1
Fn
Get Info emv.bmp type = file_type True 1
Fn
Get Info raq.jpg type = file_attributes False 1
Fn
Get Info raq.jpg type = file_type True 1
Fn
Get Info nep.mp4 type = file_attributes False 1
Fn
Get Info nep.mp4 type = file_type True 1
Fn
Get Info neo.ico type = file_attributes False 1
Fn
Get Info neo.ico type = file_type True 1
Fn
Get Info wxv.mp4 type = file_attributes False 1
Fn
Get Info wxv.mp4 type = file_type True 1
Fn
Get Info beb.ppt type = file_attributes False 1
Fn
Get Info beb.ppt type = file_type True 1
Fn
Get Info als.txt type = file_attributes False 1
Fn
Get Info als.txt type = file_type True 1
Fn
Get Info jkg.txt type = file_attributes False 1
Fn
Get Info jkg.txt type = file_type True 1
Fn
Get Info idv.xl type = file_attributes False 1
Fn
Get Info idv.xl type = file_type True 1
Fn
Get Info erk.ico type = file_attributes False 1
Fn
Get Info erk.ico type = file_type True 1
Fn
Get Info jfo.dat type = file_attributes False 1
Fn
Get Info jfo.dat type = file_type True 1
Fn
Get Info pac.ppt type = file_attributes False 1
Fn
Get Info pac.ppt type = file_type True 1
Fn
Get Info okk.pdf type = file_attributes False 1
Fn
Get Info okk.pdf type = file_type True 1
Fn
Get Info dxj.docx type = file_attributes False 1
Fn
Get Info dxj.docx type = file_type True 1
Fn
Get Info tob.ico type = file_attributes False 1
Fn
Get Info tob.ico type = file_type True 1
Fn
Get Info guv.xl type = file_attributes False 1
Fn
Get Info guv.xl type = file_type True 1
Fn
Get Info hjd.mp4 type = file_attributes False 1
Fn
Get Info hjd.mp4 type = file_type True 1
Fn
Get Info ain.icm type = file_attributes False 1
Fn
Get Info ain.icm type = file_type True 1
Fn
Get Info ugv.icm type = file_attributes False 1
Fn
Get Info ugv.icm type = file_type True 1
Fn
Get Info cih.exe type = file_attributes True 1
Fn
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 8192, size_out = 8192 True 12
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 7, size_out = 7 True 6
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 1048560, size_out = 934137 True 1
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 6, size_out = 6 True 1
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 28, size_out = 28 True 2
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 37, size_out = 37 True 1
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 2708, size_out = 2708 True 1
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 0, size_out = 0 True 17
Fn
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 7, size_out = 7 True 56
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 1048560, size_out = 934137 True 1
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 6, size_out = 6 True 1
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 28, size_out = 28 True 2
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 37, size_out = 37 True 40
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 32768, size_out = 32768 True 2
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 32736, size_out = 32736 True 22
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 10894, size_out = 10894 True 1
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 0, size_out = 0 True 1706
Fn
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 9115, size_out = 9115 True 1
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 32, size_out = 32 True 1
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 5087, size_out = 5087 True 1
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 476, size_out = 476 True 3
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 36, size_out = 36 True 7
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 427, size_out = 427 True 2
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 425, size_out = 425 True 2
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 452, size_out = 452 True 1
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 411, size_out = 411 True 1
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 38, size_out = 38 True 2
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 499, size_out = 499 True 1
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 416, size_out = 416 True 1
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 506, size_out = 506 True 1
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 459, size_out = 459 True 2
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 486, size_out = 486 True 1
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 446, size_out = 446 True 2
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 469, size_out = 469 True 1
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 432, size_out = 432 True 1
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 449, size_out = 449 True 2
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 437, size_out = 437 True 3
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 428, size_out = 428 True 1
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 424, size_out = 424 True 1
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 445, size_out = 445 True 2
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 426, size_out = 426 True 1
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 412, size_out = 412 True 1
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 470, size_out = 470 True 1
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 468, size_out = 468 True 1
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 435, size_out = 435 True 2
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 419, size_out = 419 True 1
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 444, size_out = 444 True 2
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 429, size_out = 429 True 1
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 421, size_out = 421 True 1
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 467, size_out = 467 True 1
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 448, size_out = 448 True 1
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 456, size_out = 456 True 1
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 439, size_out = 439 True 1
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 526, size_out = 526 True 1
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 462, size_out = 462 True 1
Fn
Data
Read C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe size = 447, size_out = 447 True 1
Fn
Data
Write hin.ppt size = 771181 True 1
Fn
Data
Write cvn-nhc size = 3022508 True 1
Fn
Write cih.exe size = 65536 True 8
Fn
Data
Write cih.exe size = 2560 True 2
Fn
Data
Write cih.exe size = 1792 True 1
Fn
Data
Write cih.exe size = 5888 True 1
Fn
Data
Write cih.exe size = 768 True 1
Fn
Data
Write cih.exe size = 37632 True 1
Fn
Data
Write cih.exe size = 8960 True 1
Fn
Data
Write cih.exe size = 1536 True 1
Fn
Data
Write cih.exe size = 256 True 1
Fn
Data
Write cih.exe size = 1024 True 3
Fn
Data
Write cih.exe size = 28672 True 1
Fn
Data
Write cih.exe size = 95232 True 1
Fn
Data
Write cih.exe size = 512 True 1
Fn
Data
Write cih.exe size = 7168 True 1
Fn
Data
Write cih.exe size = 16896 True 1
Fn
Data
Write cih.exe size = 4864 True 1
Fn
Data
Write cih.exe size = 7664 True 1
Fn
Data
Write jdl.jpg size = 593 True 1
Fn
Data
Write vqm.xl size = 525 True 1
Fn
Data
Write bcu.mp4 size = 521 True 1
Fn
Data
Write rnr.mp3 size = 556 True 1
Fn
Data
Write cvg.mp4 size = 505 True 1
Fn
Data
Write chm.docx size = 614 True 1
Fn
Data
Write vua.jpg size = 509 True 1
Fn
Data
Write oxl.ico size = 520 True 1
Fn
Data
Write fun.mp4 size = 633 True 1
Fn
Data
Write fqv.xl size = 567 True 1
Fn
Data
Write hgu.ico size = 569 True 1
Fn
Data
Write brh.ppt size = 597 True 1
Fn
Data
Write xqa.mp4 size = 551 True 1
Fn
Data
Write jub.bmp size = 574 True 1
Fn
Data
Write jgu.bmp size = 532 True 1
Fn
Data
Write tik.icm size = 550 True 1
Fn
Data
Write wjv.pdf size = 539 True 1
Fn
Data
Write nvl.xl size = 526 True 1
Fn
Data
Write xfg.dat size = 520 True 1
Fn
Data
Write aqa.bmp size = 557 True 1
Fn
Data
Write rnj.mp3 size = 547 True 1
Fn
Data
Write eff.icm size = 522 True 1
Fn
Data
Write isi.xl size = 507 True 1
Fn
Data
Write upe.mp3 size = 578 True 1
Fn
Data
Write fpo.xl size = 581 True 1
Fn
Data
Write wlk.pdf size = 536 True 1
Fn
Data
Write nlb.pdf size = 541 True 1
Fn
Data
Write emv.bmp size = 511 True 1
Fn
Data
Write raq.jpg size = 514 True 1
Fn
Data
Write nep.mp4 size = 589 True 1
Fn
Data
Write neo.ico size = 551 True 1
Fn
Data
Write wxv.mp4 size = 526 True 1
Fn
Data
Write beb.ppt size = 530 True 1
Fn
Data
Write als.txt size = 512 True 1
Fn
Data
Write jkg.txt size = 588 True 1
Fn
Data
Write idv.xl size = 550 True 1
Fn
Data
Write erk.ico size = 576 True 1
Fn
Data
Write jfo.dat size = 556 True 1
Fn
Data
Write pac.ppt size = 564 True 1
Fn
Data
Write okk.pdf size = 538 True 1
Fn
Data
Write dxj.docx size = 651 True 1
Fn
Data
Write tob.ico size = 575 True 1
Fn
Data
Write guv.xl size = 550 True 1
Fn
Data
Write hjd.mp4 size = 543 True 1
Fn
Data
Write ain.icm size = 532 True 1
Fn
Data
Write ugv.icm size = 549 True 1
Fn
Data
Delete __tmp_rar_sfx_access_check_18052931 True 1
Fn
Process (1)
+
Operation Process Additional Information Success Count Logfile
Create C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe show_window = SW_SHOWNORMAL True 1
Fn
Module (7)
+
Operation Module Additional Information Success Count Logfile
Load riched32.dll base_address = 0x72980000 True 1
Fn
Load riched20.dll base_address = 0x6d740000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x769e0000 True 1
Fn
Get Handle c:\users\eebsym5\desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe base_address = 0x400000 True 2
Fn
Get Filename process_name = c:\users\eebsym5\desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, file_name_orig = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe, size = 1024 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetDllDirectoryW, address_out = 0x76a6c7cf True 1
Fn
Window (2)
+
Operation Window Name Additional Information Success Count Logfile
Set Attribute index = 18446744073709551600, new_long = 1342341248 True 1
Fn
System (1877)
+
Operation Additional Information Success Count Logfile
Get Time type = Ticks, time = 52868 True 20
Fn
Get Time type = Ticks, time = 52931 True 1
Fn
Get Time type = System Time, time = 2017-10-04 02:23:35 (UTC) True 1
Fn
Get Time type = Ticks, time = 53024 True 4
Fn
Get Time type = Ticks, time = 53040 True 30
Fn
Get Time type = Ticks, time = 53055 True 1
Fn
Get Time type = Ticks, time = 53071 True 63
Fn
Get Time type = Ticks, time = 53087 True 109
Fn
Get Time type = Ticks, time = 53149 True 1
Fn
Get Time type = Ticks, time = 53196 True 4
Fn
Get Time type = Ticks, time = 53211 True 37
Fn
Get Time type = Ticks, time = 53227 True 19
Fn
Get Time type = Ticks, time = 53243 True 37
Fn
Get Time type = Ticks, time = 53258 True 72
Fn
Get Time type = Ticks, time = 53274 True 61
Fn
Get Time type = Ticks, time = 53289 True 32
Fn
Get Time type = Ticks, time = 53305 True 68
Fn
Get Time type = Ticks, time = 53321 True 76
Fn
Get Time type = Ticks, time = 53336 True 66
Fn
Get Time type = Ticks, time = 53352 True 70
Fn
Get Time type = Ticks, time = 53367 True 60
Fn
Get Time type = Ticks, time = 53383 True 79
Fn
Get Time type = Ticks, time = 53399 True 71
Fn
Get Time type = Ticks, time = 53414 True 33
Fn
Get Time type = Ticks, time = 53430 True 71
Fn
Get Time type = Ticks, time = 53445 True 66
Fn
Get Time type = Ticks, time = 53461 True 69
Fn
Get Time type = Ticks, time = 53477 True 70
Fn
Get Time type = Ticks, time = 53492 True 69
Fn
Get Time type = Ticks, time = 53508 True 34
Fn
Get Time type = Ticks, time = 53523 True 61
Fn
Get Time type = Ticks, time = 53539 True 47
Fn
Get Time type = Ticks, time = 53555 True 67
Fn
Get Time type = Ticks, time = 53570 True 19
Fn
Get Time type = Ticks, time = 53586 True 73
Fn
Get Time type = Ticks, time = 53601 True 83
Fn
Get Time type = Ticks, time = 53617 True 68
Fn
Get Time type = Ticks, time = 53633 True 64
Fn
Get Info type = Operating System False 1
Fn
Environment (2)
+
Operation Additional Information Success Count Logfile
Set Environment String name = sfxcmd, value = "C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe" True 1
Fn
Set Environment String name = sfxname, value = C:\Users\EEBsYm5\Desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe True 1
Fn
Process #2: cih.exe
(Host: 256, Network: 0)
+
Information Value
ID #2
File Name c:\users\eebsym5\appdata\local\temp\60484525\cih.exe
Command Line "C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe" cvn-nhc
Initial Working Directory C:\Users\EEBsYm5\AppData\Local\Temp\60484525\
Monitor Start Time: 00:00:16, Reason: Child Process
Unmonitor End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration 00:01:55
OS Process Information
+
Information Value
PID 0xa20
Parent PID 0xa00 (c:\users\eebsym5\desktop\9c3648e343b57ebf1fb3fe567deceb0da3499989dd56d4e82dd8911c3adf239d.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Groups
  • CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000ebee (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A24
0x A28
0x A2C
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True True False
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000040000 0x00040000 0x00041fff Pagefile Backed Memory Readable True False False
private_0x0000000000050000 0x00050000 0x00050fff Private Memory Readable, Writable True True False
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000070000 0x00070000 0x00071fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000080000 0x00080000 0x00081fff Pagefile Backed Memory Readable True False False
private_0x0000000000090000 0x00090000 0x0048ffff Private Memory Readable, Writable True True False
locale.nls 0x00490000 0x004f6fff Memory Mapped File Readable False False False
pagefile_0x0000000000500000 0x00500000 0x005c7fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000005d0000 0x005d0000 0x006aefff Pagefile Backed Memory Readable True False False
pagefile_0x00000000006b0000 0x006b0000 0x006b0fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x00000000006c0000 0x006c0000 0x006c6fff Pagefile Backed Memory Readable True False False
private_0x00000000006d0000 0x006d0000 0x006dffff Private Memory Readable, Writable True True False
pagefile_0x00000000006e0000 0x006e0000 0x007e0fff Pagefile Backed Memory Readable True False False
rpcss.dll 0x007f0000 0x0084bfff Memory Mapped File Readable False False False
pagefile_0x00000000007f0000 0x007f0000 0x007f1fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000800000 0x00800000 0x00800fff Private Memory Readable, Writable True True False
private_0x0000000000810000 0x00810000 0x0088ffff Private Memory Readable, Writable True True False
private_0x0000000000890000 0x00890000 0x0089ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000890000 0x00890000 0x00896fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x00000000008a0000 0x008a0000 0x008a6fff Pagefile Backed Memory Readable, Writable True False False
cih.exe 0x008b0000 0x0097bfff Memory Mapped File Readable, Writable, Executable True True False
private_0x0000000000980000 0x00980000 0x00a7ffff Private Memory Readable, Writable True True False
private_0x0000000000aa0000 0x00aa0000 0x00e9ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000ea0000 0x00ea0000 0x01a9ffff Pagefile Backed Memory Readable True False False
private_0x0000000001c00000 0x01c00000 0x01c0ffff Private Memory Readable, Writable True True False
private_0x0000000001c10000 0x01c10000 0x01deffff Private Memory Readable, Writable True True False
sortdefault.nls 0x01df0000 0x020befff Memory Mapped File Readable False False False
private_0x00000000020e0000 0x020e0000 0x024dffff Private Memory Readable, Writable True True False
pagefile_0x00000000024e0000 0x024e0000 0x028d2fff Pagefile Backed Memory Readable True False False
private_0x00000000029e0000 0x029e0000 0x02ddffff Private Memory Readable, Writable True True False
private_0x0000000002de0000 0x02de0000 0x02ffffff Private Memory Readable, Writable True True False
private_0x0000000002de0000 0x02de0000 0x02f9cfff Private Memory Readable, Writable True True False
private_0x0000000002fc0000 0x02fc0000 0x02ffffff Private Memory Readable, Writable True True False
private_0x0000000003000000 0x03000000 0x031fffff Private Memory Readable, Writable True True False
private_0x0000000003310000 0x03310000 0x0341ffff Private Memory Readable, Writable True True False
winmm.dll 0x6e3b0000 0x6e3e1fff Memory Mapped File Readable, Writable, Executable False False False
mpr.dll 0x718d0000 0x718e1fff Memory Mapped File Readable, Writable, Executable False False False
wsock32.dll 0x72980000 0x72986fff Memory Mapped File Readable, Writable, Executable False False False
dwmapi.dll 0x73a70000 0x73a82fff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x73dc0000 0x73dfffff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x740c0000 0x7425dfff Memory Mapped File Readable, Writable, Executable False False False
version.dll 0x74660000 0x74668fff Memory Mapped File Readable, Writable, Executable False False False
userenv.dll 0x747c0000 0x747d6fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x75090000 0x7509bfff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x75110000 0x7511afff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x75180000 0x7518bfff Memory Mapped File Readable, Writable, Executable False False False
cfgmgr32.dll 0x75190000 0x751b6fff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x751c0000 0x752dcfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x752e0000 0x75329fff Memory Mapped File Readable, Writable, Executable False False False
devobj.dll 0x75360000 0x75371fff Memory Mapped File Readable, Writable, Executable False False False
urlmon.dll 0x75410000 0x75545fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x75550000 0x7559dfff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x755a0000 0x75668fff Memory Mapped File Readable, Writable, Executable False False False
ws2_32.dll 0x75670000 0x756a4fff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x756b0000 0x75706fff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x75710000 0x7572efff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x75730000 0x757fbfff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x75810000 0x7589efff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x75980000 0x765c9fff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x765d0000 0x765d5fff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x765e0000 0x7667cfff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x76680000 0x767dbfff Memory Mapped File Readable, Writable, Executable False False False
wininet.dll 0x76840000 0x76934fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x76940000 0x769dffff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x769e0000 0x76ab3fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x76ac0000 0x76b60fff Memory Mapped File Readable, Writable, Executable False False False
setupapi.dll 0x76b70000 0x76d0cfff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x76d10000 0x76dbbfff Memory Mapped File Readable, Writable, Executable False False False
iertutil.dll 0x76dc0000 0x76fbafff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x76fc0000 0x770fbfff Memory Mapped File Readable, Writable, Executable False False False
psapi.dll 0x77100000 0x77104fff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x77110000 0x77128fff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x77160000 0x77169fff Memory Mapped File Readable, Writable, Executable False False False
comdlg32.dll 0x77170000 0x771eafff Memory Mapped File Readable, Writable, Executable False False False
apisetschema.dll 0x77200000 0x77200fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory Readable, Writable True True False
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory Readable, Writable True True False
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True True False
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True True False
Created Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\eebsym5\appdata\local\temp\60484525\iwlwk 271.35 KB (277864 bytes) MD5: 1ddc15ba0f5ad90873d42c41f4a2abc3
SHA1: 4cc438d56cd0317c3cd75f6630f2ce4ce4b31ca0
SHA256: c1492aca20af26af0c906dc391b808f2b227904a8948aa7b34caeddb70fc83cb
False
Host Behavior
File (171)
+
Operation Filename Additional Information Success Count Logfile
Create C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc type = file_type True 1
Fn
Get Info *.* type = file_attributes False 1
Fn
Get Info ain.icm type = file_attributes True 1
Fn
Get Info als.txt type = file_attributes True 1
Fn
Get Info aqa.bmp type = file_attributes True 1
Fn
Get Info bcu.mp4 type = file_attributes True 1
Fn
Get Info beb.ppt type = file_attributes True 1
Fn
Get Info brh.ppt type = file_attributes True 1
Fn
Get Info chm.docx type = file_attributes True 1
Fn
Get Info cih.exe type = file_attributes True 1
Fn
Get Info cvg.mp4 type = file_attributes True 1
Fn
Get Info cvn-nhc type = file_attributes True 1
Fn
Get Info dxj.docx type = file_attributes True 1
Fn
Get Info eff.icm type = file_attributes True 1
Fn
Get Info emv.bmp type = file_attributes True 1
Fn
Get Info erk.ico type = file_attributes True 1
Fn
Get Info fpo.xl type = file_attributes True 1
Fn
Get Info fqv.xl type = file_attributes True 1
Fn
Get Info fun.mp4 type = file_attributes True 1
Fn
Get Info guv.xl type = file_attributes True 1
Fn
Get Info hgu.ico type = file_attributes True 1
Fn
Get Info hin.ppt type = file_attributes True 1
Fn
Get Info hjd.mp4 type = file_attributes True 1
Fn
Get Info idv.xl type = file_attributes True 1
Fn
Get Info isi.xl type = file_attributes True 1
Fn
Get Info jdl.jpg type = file_attributes True 1
Fn
Get Info jfo.dat type = file_attributes True 1
Fn
Get Info jgu.bmp type = file_attributes True 1
Fn
Get Info jkg.txt type = file_attributes True 1
Fn
Get Info jub.bmp type = file_attributes True 1
Fn
Get Info neo.ico type = file_attributes True 1
Fn
Get Info nep.mp4 type = file_attributes True 1
Fn
Get Info nlb.pdf type = file_attributes True 1
Fn
Get Info nvl.xl type = file_attributes True 1
Fn
Get Info okk.pdf type = file_attributes True 1
Fn
Get Info oxl.ico type = file_attributes True 1
Fn
Get Info pac.ppt type = file_attributes True 1
Fn
Get Info raq.jpg type = file_attributes True 1
Fn
Get Info rnj.mp3 type = file_attributes True 1
Fn
Get Info rnr.mp3 type = file_attributes True 1
Fn
Get Info tik.icm type = file_attributes True 1
Fn
Get Info tob.ico type = file_attributes True 1
Fn
Get Info ugv.icm type = file_attributes True 1
Fn
Get Info upe.mp3 type = file_attributes True 1
Fn
Get Info vqm.xl type = file_attributes True 1
Fn
Get Info vua.jpg type = file_attributes True 1
Fn
Get Info wjv.pdf type = file_attributes True 1
Fn
Get Info wlk.pdf type = file_attributes True 1
Fn
Get Info wxv.mp4 type = file_attributes True 1
Fn
Get Info xfg.dat type = file_attributes True 1
Fn
Get Info xqa.mp4 type = file_attributes True 1
Fn
Open STD_INPUT_HANDLE True 2
Fn
Open STD_OUTPUT_HANDLE True 1
Fn
Open STD_ERROR_HANDLE True 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc size = 65536, size_out = 65536 True 92
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc size = 65536, size_out = 8772 True 1
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc size = 53248, size_out = 0 True 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc size = 65536, size_out = 20 True 1
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc size = 61440, size_out = 0 True 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc size = 65536, size_out = 7852 True 1
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc size = 65536, size_out = 0 True 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt size = 65536, size_out = 65536 True 12
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt size = 65536, size_out = 50285 True 1
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK size = 65536, size_out = 0 True 1
Fn
Registry (3)
+
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Control Panel\Mouse True 1
Fn
Open Key HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt False 1
Fn
Read Value HKEY_CURRENT_USER\Control Panel\Mouse value_name = SwapMouseButtons, data = 48 True 1
Fn
Process (1)
+
Operation Process Additional Information Success Count Logfile
Create C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK os_pid = 0xa30, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWNORMAL True 1
Fn
Module (17)
+
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x769e0000 True 1
Fn
Load uxtheme.dll base_address = 0x73dc0000 True 1
Fn
Load user32.dll base_address = 0x755a0000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x769e0000 True 2
Fn
Get Handle mscoree.dll base_address = 0x0 False 1
Fn
Get Filename process_name = c:\users\eebsym5\appdata\local\temp\60484525\cih.exe, file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe, size = 260 True 3
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsAlloc, address_out = 0x76a3418d True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsGetValue, address_out = 0x76a31e16 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsSetValue, address_out = 0x76a376e6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsFree, address_out = 0x76a31f61 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsWow64Process, address_out = 0x76a24785 True 1
Fn
Get Address c:\windows\system32\uxtheme.dll function = IsThemeActive, address_out = 0x73dcf785 True 1
Fn
Get Address c:\windows\system32\user32.dll function = CallWindowProc, address_out = 0x0 False 1
Fn
Get Address c:\windows\system32\user32.dll function = CallWindowProcA, address_out = 0x755d2bd3 True 1
Fn
Window (2)
+
Operation Window Name Additional Information Success Count Logfile
Create AutoIt v3 class_name = AutoIt v3, wndproc_parameter = 0 True 1
Fn
System (6)
+
Operation Additional Information Success Count Logfile
Sleep duration = 750 milliseconds (0.750 seconds) True 1
Fn
Get Time type = System Time, time = 2017-10-04 02:23:36 (UTC) True 1
Fn
Get Time type = Ticks, time = 54132 True 1
Fn
Get Time type = System Time, time = 2017-10-04 02:23:37 (UTC) True 1
Fn
Get Info type = Operating System False 1
Fn
Get Info type = Hardware Information True 1
Fn
Environment (1)
+
Operation Additional Information Success Count Logfile
Get Environment String True 1
Fn
Data
Ini (3)
+
Operation Filename Additional Information Success Count Logfile
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = Dir, data_out = 60484525 True 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = sK, data_out = 228 True 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = sN, data_out = rpi.qcn True 1
Fn
Debug (1)
+
Operation Process Additional Information Success Count Logfile
Check for Presence c:\users\eebsym5\appdata\local\temp\60484525\cih.exe True 1
Fn
Process #3: cih.exe
(Host: 371, Network: 0)
+
Information Value
ID #3
File Name c:\users\eebsym5\appdata\local\temp\60484525\cih.exe
Command Line C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK
Initial Working Directory C:\Users\EEBsYm5\AppData\Local\Temp\60484525\
Monitor Start Time: 00:00:16, Reason: Child Process
Unmonitor End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration 00:01:55
OS Process Information
+
Information Value
PID 0xa30
Parent PID 0xa20 (c:\users\eebsym5\appdata\local\temp\60484525\cih.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Groups
  • CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000ebee (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A34
0x A38
0x A3C
0x A40
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000040000 0x00040000 0x00041fff Pagefile Backed Memory Readable True False False
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory Readable, Writable True False False
pagefile_0x00000000000d0000 0x000d0000 0x000d0fff Pagefile Backed Memory Readable, Writable True False False
private_0x00000000000e0000 0x000e0000 0x000effff Private Memory Readable, Writable True False False
private_0x00000000000f0000 0x000f0000 0x004effff Private Memory Readable, Writable True False False
pagefile_0x00000000004f0000 0x004f0000 0x005b7fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000005c0000 0x005c0000 0x006c0fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000006d0000 0x006d0000 0x006d1fff Pagefile Backed Memory Readable True False False
private_0x00000000006e0000 0x006e0000 0x0077ffff Private Memory Readable, Writable True True False
pagefile_0x00000000006e0000 0x006e0000 0x006e1fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000006f0000 0x006f0000 0x006f0fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000700000 0x00700000 0x00706fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000710000 0x00710000 0x00711fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000720000 0x00720000 0x00720fff Private Memory Readable, Writable True False False
tzres.dll 0x00730000 0x00730fff Memory Mapped File Readable False False False
private_0x0000000000730000 0x00730000 0x00730fff Private Memory Readable, Writable, Executable True False False
private_0x0000000000740000 0x00740000 0x0077ffff Private Memory Readable, Writable True False False
private_0x0000000000780000 0x00780000 0x00780fff Private Memory Readable, Writable, Executable True False False
private_0x0000000000790000 0x00790000 0x00790fff Private Memory Readable, Writable, Executable True False False
private_0x00000000007a0000 0x007a0000 0x007a0fff Private Memory Readable, Writable, Executable True False False
private_0x00000000007b0000 0x007b0000 0x007bffff Private Memory Readable, Writable True False False
pagefile_0x00000000007c0000 0x007c0000 0x0089efff Pagefile Backed Memory Readable True False False
private_0x00000000008a0000 0x008a0000 0x008a0fff Private Memory Readable, Writable, Executable True False False
cih.exe 0x008b0000 0x0097bfff Memory Mapped File Readable, Writable, Executable True False False
rpcss.dll 0x00980000 0x009dbfff Memory Mapped File Readable False False False
private_0x0000000000980000 0x00980000 0x009fffff Private Memory Readable, Writable True False False
rsaenh.dll 0x00a00000 0x00a3bfff Memory Mapped File Readable False False False
rsaenh.dll 0x00a00000 0x00a3bfff Memory Mapped File Readable False False False
private_0x0000000000a00000 0x00a00000 0x00a00fff Private Memory Readable, Writable, Executable True False False
private_0x0000000000a40000 0x00a40000 0x00e3ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000e40000 0x00e40000 0x01a3ffff Pagefile Backed Memory Readable True False False
sortdefault.nls 0x01a40000 0x01d0efff Memory Mapped File Readable False False False
private_0x0000000001d10000 0x01d10000 0x01e0ffff Private Memory Readable, Writable True False False
private_0x0000000001e30000 0x01e30000 0x0222ffff Private Memory Readable, Writable True False False
pagefile_0x0000000002230000 0x02230000 0x02622fff Pagefile Backed Memory Readable True False False
private_0x0000000002630000 0x02630000 0x0273ffff Private Memory Readable, Writable True True False
private_0x0000000002740000 0x02740000 0x0293ffff Private Memory Readable, Writable True False False
private_0x0000000002940000 0x02940000 0x02afcfff Private Memory Readable, Writable True True False
private_0x00000000029e0000 0x029e0000 0x02ddffff Private Memory Readable, Writable True False False
private_0x0000000002de0000 0x02de0000 0x02f9cfff Private Memory Readable, Writable True True False
private_0x0000000002ea0000 0x02ea0000 0x0329ffff Private Memory Readable, Writable True False False
private_0x00000000032a0000 0x032a0000 0x0345cfff Private Memory Readable, Writable True True False
winmm.dll 0x6e3b0000 0x6e3e1fff Memory Mapped File Readable, Writable, Executable False False False
mpr.dll 0x718d0000 0x718e1fff Memory Mapped File Readable, Writable, Executable False False False
wsock32.dll 0x72980000 0x72986fff Memory Mapped File Readable, Writable, Executable False False False
dwmapi.dll 0x73a70000 0x73a82fff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x73dc0000 0x73dfffff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x740c0000 0x7425dfff Memory Mapped File Readable, Writable, Executable False False False
version.dll 0x74660000 0x74668fff Memory Mapped File Readable, Writable, Executable False False False
userenv.dll 0x747c0000 0x747d6fff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x749b0000 0x749eafff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x74c10000 0x74c25fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x75090000 0x7509bfff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x75110000 0x7511afff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x75180000 0x7518bfff Memory Mapped File Readable, Writable, Executable False False False
cfgmgr32.dll 0x75190000 0x751b6fff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x751c0000 0x752dcfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x752e0000 0x75329fff Memory Mapped File Readable, Writable, Executable False False False
devobj.dll 0x75360000 0x75371fff Memory Mapped File Readable, Writable, Executable False False False
urlmon.dll 0x75410000 0x75545fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x75550000 0x7559dfff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x755a0000 0x75668fff Memory Mapped File Readable, Writable, Executable False False False
ws2_32.dll 0x75670000 0x756a4fff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x756b0000 0x75706fff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x75710000 0x7572efff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x75730000 0x757fbfff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x75810000 0x7589efff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x75980000 0x765c9fff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x765d0000 0x765d5fff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x765e0000 0x7667cfff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x76680000 0x767dbfff Memory Mapped File Readable, Writable, Executable False False False
wininet.dll 0x76840000 0x76934fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x76940000 0x769dffff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x769e0000 0x76ab3fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x76ac0000 0x76b60fff Memory Mapped File Readable, Writable, Executable False False False
setupapi.dll 0x76b70000 0x76d0cfff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x76d10000 0x76dbbfff Memory Mapped File Readable, Writable, Executable False False False
iertutil.dll 0x76dc0000 0x76fbafff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x76fc0000 0x770fbfff Memory Mapped File Readable, Writable, Executable False False False
psapi.dll 0x77100000 0x77104fff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x77110000 0x77128fff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x77160000 0x77169fff Memory Mapped File Readable, Writable, Executable False False False
comdlg32.dll 0x77170000 0x771eafff Memory Mapped File Readable, Writable, Executable False False False
apisetschema.dll 0x77200000 0x77200fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory Readable, Writable True False False
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory Readable, Writable True False False
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory Readable, Writable True False False
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True False False
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False
Host Behavior
File (41)
+
Operation Filename Additional Information Success Count Logfile
Create C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK type = file_type True 1
Fn
Get Info 60484525 type = file_attributes True 2
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Temp\60484525\spd type = file_attributes False 1
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe type = file_attributes True 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK type = file_attributes True 1
Fn
Open STD_INPUT_HANDLE True 2
Fn
Open STD_OUTPUT_HANDLE True 1
Fn
Open STD_ERROR_HANDLE True 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK size = 65536, size_out = 65536 True 8
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK size = 65536, size_out = 15800 True 1
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK size = 49152, size_out = 0 True 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK size = 65536, size_out = 20 True 1
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK size = 61440, size_out = 0 True 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK size = 65536, size_out = 15720 True 1
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK size = 65536, size_out = 0 True 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt size = 65536, size_out = 65536 True 12
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt size = 65536, size_out = 50285 True 1
Fn
Data
Delete C:\Users\EEBsYm5\AppData\Local\Temp\60484525\IWLWK True 1
Fn
Registry (5)
+
Operation Key Additional Information Success Count Logfile
Create Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run True 1
Fn
Open Key HKEY_CURRENT_USER\Control Panel\Mouse True 1
Fn
Open Key HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt False 1
Fn
Read Value HKEY_CURRENT_USER\Control Panel\Mouse value_name = SwapMouseButtons, data = 48 True 1
Fn
Write Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = WindowsUpdate, data = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc, size = 212, type = REG_SZ True 1
Fn
Process (1)
+
Operation Process Additional Information Success Count Logfile
Create C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe os_pid = 0xa4c, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE True 1
Fn
Thread (3)
+
Operation Process Additional Information Success Count Logfile
Get Context c:\users\eebsym5\appdata\local\temp\60484525\cih.exe os_tid = 0xa34 True 1
Fn
Set Context c:\users\eebsym5\appdata\local\temp\60484525\cih.exe os_tid = 0xa34 True 1
Fn
Resume c:\users\eebsym5\appdata\local\temp\60484525\cih.exe os_tid = 0xa34 True 1
Fn
Memory (7)
+
Operation Process Additional Information Success Count Logfile
Allocate C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 106496 True 1
Fn
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe address = 0x400000, size = 4096 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe address = 0x401000, size = 69632 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe address = 0x412000, size = 24576 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe address = 0x418000, size = 4096 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe address = 0x419000, size = 4096 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe address = 0x7ffd3008, size = 4 True 1
Fn
Data
Module (48)
+
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x769e0000 True 1
Fn
Load uxtheme.dll base_address = 0x73dc0000 True 1
Fn
Load Advapi32.dll base_address = 0x76940000 True 1
Fn
Load user32.dll base_address = 0x755a0000 True 1
Fn
Load kernel32 base_address = 0x769e0000 True 17
Fn
Load ntdll base_address = 0x76fc0000 True 8
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x769e0000 True 2
Fn
Get Handle mscoree.dll base_address = 0x0 False 1
Fn
Get Filename process_name = c:\users\eebsym5\appdata\local\temp\60484525\cih.exe, file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe, size = 260 True 2
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsAlloc, address_out = 0x76a3418d True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsGetValue, address_out = 0x76a31e16 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsSetValue, address_out = 0x76a376e6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsFree, address_out = 0x76a31f61 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsWow64Process, address_out = 0x76a24785 True 1
Fn
Get Address c:\windows\system32\uxtheme.dll function = IsThemeActive, address_out = 0x73dcf785 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptAcquireContext, address_out = 0x0 False 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptAcquireContextA, address_out = 0x769491dd True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptCreateHash, address_out = 0x7694df4e True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptHashData, address_out = 0x7694df36 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDeriveKey, address_out = 0x76983188 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDestroyHash, address_out = 0x7694df66 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDecrypt, address_out = 0x76983178 True 1
Fn
Get Address c:\windows\system32\user32.dll function = CallWindowProcW, address_out = 0x755b1b3c True 1
Fn
Service (1)
+
Operation Additional Information Success Count Logfile
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
Window (2)
+
Operation Window Name Additional Information Success Count Logfile
Create AutoIt v3 class_name = AutoIt v3, wndproc_parameter = 0 True 1
Fn
System (235)
+
Operation Additional Information Success Count Logfile
Sleep duration = 750 milliseconds (0.750 seconds) True 7
Fn
Sleep duration = 10 milliseconds (0.010 seconds) True 219
Fn
Get Time type = System Time, time = 2017-10-04 02:23:37 (UTC) True 3
Fn
Get Time type = Ticks, time = 54881 True 1
Fn
Get Info type = Operating System False 1
Fn
Get Info type = Hardware Information True 1
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 3
Fn
Environment (1)
+
Operation Additional Information Success Count Logfile
Get Environment String True 1
Fn
Data
Ini (22)
+
Operation Filename Additional Information Success Count Logfile
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = Dir, data_out = 60484525 True 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = msg False 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = _S0x20057179D673181B71D4593BFB2A0450 False 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = VM False 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = SandBox False 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = duac False 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = drpt False 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = btklr False 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = taskmnrg False 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = hSUps False 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = StartUps, data_out = lju-0W23JhA138k76msH67J30 True 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = Key, data_out = WindowsUpdate True 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = AuEx, data_out = cvn-nhc True 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = ExEc, data_out = cih.exe True 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = Down False 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = Net False 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = eof False 2
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = RP, data_out = qkr.xul True 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = Keys, data_out = jom True 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = fb False 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = btkl False 1
Fn
Debug (1)
+
Operation Process Additional Information Success Count Logfile
Check for Presence c:\users\eebsym5\appdata\local\temp\60484525\cih.exe True 1
Fn
Process #4: regsvcs.exe
(Host: 274, Network: 39)
+
Information Value
ID #4
File Name c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
Command Line "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Initial Working Directory C:\Users\EEBsYm5\AppData\Local\Temp\60484525\
Monitor Start Time: 00:00:19, Reason: Child Process
Unmonitor End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration 00:01:52
OS Process Information
+
Information Value
PID 0xa4c
Parent PID 0xa30 (c:\users\eebsym5\appdata\local\temp\60484525\cih.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Groups
  • CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000ebee (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A50
0x A54
0x A58
0x A5C
0x A60
0x A64
0x A68
0x A74
0x A80
0x A84
0x A88
0x A8C
0x AC8
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory Readable, Writable True False False
private_0x00000000000d0000 0x000d0000 0x000d0fff Private Memory Readable, Writable True False False
private_0x00000000000e0000 0x000e0000 0x000effff Private Memory Readable, Writable True False False
private_0x00000000000f0000 0x000f0000 0x001effff Private Memory Readable, Writable True False False
pagefile_0x00000000001f0000 0x001f0000 0x002b7fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000002c0000 0x002c0000 0x003c0fff Pagefile Backed Memory Readable True False False
private_0x00000000003d0000 0x003d0000 0x003d0fff Private Memory Readable, Writable True False False
private_0x00000000003e0000 0x003e0000 0x003e0fff Private Memory Readable, Writable True False False
private_0x00000000003f0000 0x003f0000 0x003f0fff Private Memory Readable, Writable True False False
private_0x0000000000400000 0x00400000 0x00419fff Private Memory Readable, Writable, Executable True False False
private_0x0000000000460000 0x00460000 0x0055ffff Private Memory Readable, Writable True False False
private_0x0000000000580000 0x00580000 0x0067ffff Private Memory Readable, Writable True False False
private_0x0000000000680000 0x00680000 0x0077ffff Private Memory Readable, Writable True False False
private_0x00000000007e0000 0x007e0000 0x008dffff Private Memory Readable, Writable True False False
regsvcs.exe 0x008e0000 0x008edfff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x00000000008f0000 0x008f0000 0x014effff Pagefile Backed Memory Readable True False False
private_0x0000000001580000 0x01580000 0x0167ffff Private Memory Readable, Writable True False False
private_0x00000000016b0000 0x016b0000 0x017affff Private Memory Readable, Writable True False False
private_0x00000000017b0000 0x017b0000 0x018affff Private Memory Readable, Writable True False False
private_0x0000000001960000 0x01960000 0x01a5ffff Private Memory Readable, Writable True False False
sortdefault.nls 0x01a60000 0x01d2efff Memory Mapped File Readable False False False
private_0x0000000001d30000 0x01d30000 0x01efffff Private Memory Readable, Writable True True False
private_0x0000000001d30000 0x01d30000 0x01e9ffff Private Memory Readable, Writable True True False
private_0x0000000001d30000 0x01d30000 0x01e1ffff Private Memory Readable, Writable True False False
private_0x0000000001e90000 0x01e90000 0x01e9ffff Private Memory Readable, Writable True False False
private_0x0000000001ec0000 0x01ec0000 0x01efffff Private Memory Readable, Writable True False False
private_0x0000000001f00000 0x01f00000 0x020fffff Private Memory Readable, Writable True True False
private_0x0000000001f00000 0x01f00000 0x01feffff Private Memory Readable, Writable True False False
private_0x0000000001ff0000 0x01ff0000 0x020effff Private Memory Readable, Writable True False False
private_0x00000000020f0000 0x020f0000 0x020fffff Private Memory Readable, Writable True False False
private_0x00000000021c0000 0x021c0000 0x022bffff Private Memory Readable, Writable True False False
private_0x0000000002320000 0x02320000 0x0241ffff Private Memory Readable, Writable True False False
private_0x0000000002420000 0x02420000 0x0261ffff Private Memory Readable, Writable True False False
private_0x0000000002460000 0x02460000 0x0255ffff Private Memory Readable, Writable True True False
msvcp60.dll 0x6d750000 0x6d7b5fff Memory Mapped File Readable, Writable, Executable False False False
winrnr.dll 0x6de10000 0x6de17fff Memory Mapped File Readable, Writable, Executable False False False
pnrpnsp.dll 0x6de20000 0x6de31fff Memory Mapped File Readable, Writable, Executable False False False
napinsp.dll 0x6de50000 0x6de5ffff Memory Mapped File Readable, Writable, Executable False False False
winmm.dll 0x6e3b0000 0x6e3e1fff Memory Mapped File Readable, Writable, Executable False False False
rasadhlp.dll 0x714a0000 0x714a5fff Memory Mapped File Readable, Writable, Executable False False False
fwpuclnt.dll 0x73310000 0x73347fff Memory Mapped File Readable, Writable, Executable False False False
winnsi.dll 0x73670000 0x73676fff Memory Mapped File Readable, Writable, Executable False False False
iphlpapi.dll 0x73690000 0x736abfff Memory Mapped File Readable, Writable, Executable False False False
nlaapi.dll 0x73890000 0x7389ffff Memory Mapped File Readable, Writable, Executable False False False
gdiplus.dll 0x73c30000 0x73dbffff Memory Mapped File Readable, Writable, Executable False False False
wshtcpip.dll 0x746f0000 0x746f4fff Memory Mapped File Readable, Writable, Executable False False False
dnsapi.dll 0x74a90000 0x74ad3fff Memory Mapped File Readable, Writable, Executable False False False
mswsock.dll 0x74bd0000 0x74c0bfff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x75070000 0x7508afff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x75180000 0x7518bfff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x751c0000 0x752dcfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x752e0000 0x75329fff Memory Mapped File Readable, Writable, Executable False False False
urlmon.dll 0x75410000 0x75545fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x75550000 0x7559dfff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x755a0000 0x75668fff Memory Mapped File Readable, Writable, Executable False False False
ws2_32.dll 0x75670000 0x756a4fff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x756b0000 0x75706fff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x75710000 0x7572efff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x75730000 0x757fbfff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x75810000 0x7589efff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x75980000 0x765c9fff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x765d0000 0x765d5fff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x765e0000 0x7667cfff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x76680000 0x767dbfff Memory Mapped File Readable, Writable, Executable False False False
wininet.dll 0x76840000 0x76934fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x76940000 0x769dffff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x769e0000 0x76ab3fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x76ac0000 0x76b60fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x76d10000 0x76dbbfff Memory Mapped File Readable, Writable, Executable False False False
iertutil.dll 0x76dc0000 0x76fbafff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x76fc0000 0x770fbfff Memory Mapped File Readable, Writable, Executable False False False
psapi.dll 0x77100000 0x77104fff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x77110000 0x77128fff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x77160000 0x77169fff Memory Mapped File Readable, Writable, Executable False False False
apisetschema.dll 0x77200000 0x77200fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False
private_0x000000007ffd3000 0x7ffd3000 0x7ffd3fff Private Memory Readable, Writable True False False
private_0x000000007ffd5000 0x7ffd5000 0x7ffd5fff Private Memory Readable, Writable True True False
private_0x000000007ffd6000 0x7ffd6000 0x7ffd6fff Private Memory Readable, Writable True False False
private_0x000000007ffd7000 0x7ffd7000 0x7ffd7fff Private Memory Readable, Writable True False False
private_0x000000007ffd8000 0x7ffd8000 0x7ffd8fff Private Memory Readable, Writable True False False
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory Readable, Writable True False False
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory Readable, Writable True False False
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory Readable, Writable True False False
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory Readable, Writable True False False
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory Readable, Writable True False False
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True False False
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Modify Memory #3: c:\users\eebsym5\appdata\local\temp\60484525\cih.exe 0xa34 address = 0x400000, size = 4096 True 1
Fn
Data
Modify Memory #3: c:\users\eebsym5\appdata\local\temp\60484525\cih.exe 0xa34 address = 0x401000, size = 69632 True 1
Fn
Data
Modify Memory #3: c:\users\eebsym5\appdata\local\temp\60484525\cih.exe 0xa34 address = 0x412000, size = 24576 True 1
Fn
Data
Modify Memory #3: c:\users\eebsym5\appdata\local\temp\60484525\cih.exe 0xa34 address = 0x418000, size = 4096 True 1
Fn
Data
Modify Memory #3: c:\users\eebsym5\appdata\local\temp\60484525\cih.exe 0xa34 address = 0x419000, size = 4096 True 1
Fn
Data
Modify Memory #3: c:\users\eebsym5\appdata\local\temp\60484525\cih.exe 0xa34 address = 0x7ffd3008, size = 4 True 1
Fn
Data
Modify Control Flow #3: c:\users\eebsym5\appdata\local\temp\60484525\cih.exe 0xa34 os_tid = 0xa50, address = 0x77007098 True 1
Fn
Created Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\eebsym5\appdata\roaming\chrome\logs.dat 0.02 KB (19 bytes) MD5: 38182931074f70c4af328e12641acd51
SHA1: 96a8d3ad86aa0991ed7e8a0b89b1e3ea007d4327
SHA256: f05dd4eb5990bd9ca1497af17ab66595f92853535c1619748d316e09a4a1a126
False
c:\users\eebsym5\appdata\roaming\chrome\logs.dat 0.01 KB (13 bytes) MD5: 4241be51b5abe777809dc6f32247a4a9
SHA1: 24df3e03dd8d4a0467a7887c9ce865f630f03725
SHA256: 6bf4b2ce4815a57a74e5314f7087bad520eeb4fadc849c3088b62e24ca7dea8c
False
Host Behavior
File (69)
+
Operation Filename Additional Information Success Count Logfile
Create C:\Users\EEBsYm5\AppData\Roaming\chrome\logs.dat desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 9
Fn
Create C:\Users\EEBsYm5\AppData\Local\Temp\widfu desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 9
Fn
Create C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 10
Fn
Create C:\Users\EEBsYm5\AppData\Local\Temp\widfu desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\EEBsYm5\AppData\Roaming\chrome\logs.dat desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create Directory C:\Users\EEBsYm5\AppData\Roaming\chrome True 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Temp\widfu type = size True 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh type = size True 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\chrome\logs.dat type = file_attributes False 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\widfu size = 0, size_out = 0 True 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh size = 2, size_out = 2 True 1
Fn
Data
Write C:\Users\EEBsYm5\AppData\Roaming\chrome\logs.dat size = 19 True 1
Fn
Data
Delete C:\Users\EEBsYm5\AppData\Local\Temp\widfu True 1
Fn
Delete C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh True 1
Fn
Delete C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@ad13.adfarm1.adition[1].txt True 1
Fn
Delete C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@adfarm1.adition[1].txt True 1
Fn
Delete C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@adform[1].txt True 1
Fn
Delete C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@adnxs[1].txt True 1
Fn
Delete C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@adtech[2].txt True 1
Fn
Delete C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@advertising[1].txt True 1
Fn
Delete C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@api.bing[2].txt True 1
Fn
Delete C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@at.atwola[2].txt True 1
Fn
Delete C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@bing[1].txt True 1
Fn
Delete C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@bs.serving-sys[1].txt True 1
Fn
Delete C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@bs.serving-sys[2].txt True 1
Fn
Delete C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@c.bing[2].txt True 1
Fn
Delete C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@c.msn[2].txt True 1
Fn
Delete C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@google[1].txt True 1
Fn
Delete C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@linkedin[2].txt True 1
Fn
Delete C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@msn[1].txt True 1
Fn
Delete C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@scorecardresearch[2].txt True 1
Fn
Delete C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@serving-sys[1].txt True 1
Fn
Delete C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@track.adform[1].txt True 1
Fn
Delete C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@www.bing[1].txt True 1
Fn
Delete C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@www.linkedin[1].txt True 1
Fn
Delete C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\eebsym5@www.msn[2].txt True 1
Fn
Delete C:\Users\EEBsYm5\AppData\Roaming\Microsoft\Windows\Cookies\index.dat False 1
Fn
Delete C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\cookies.sqlite True 1
Fn
Delete C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\logins.json False 1
Fn
Delete C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\key3.db True 1
Fn
Delete C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Cookies True 1
Fn
Delete C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Login Data True 1
Fn
Registry (28)
+
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\Software\34419-GRNPWA\ True 1
Fn
Create Key HKEY_CURRENT_USER\Software\34419-GRNPWA\ True 1
Fn
Create Key HKEY_CURRENT_USER\Software\34419-GRNPWA\ True 2
Fn
Create Key HKEY_CURRENT_USER\Software\34419-GRNPWA\ True 1
Fn
Create Key HKEY_CURRENT_USER\Software\34419-GRNPWA\ True 4
Fn
Open Key HKEY_CURRENT_USER\Software\34419-GRNPWA\ False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion True 1
Fn
Open Key HKEY_CURRENT_USER\Software\34419-GRNPWA\ True 1
Fn
Open Key HKEY_CURRENT_USER\Software\34419-GRNPWA\ True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = ProductName, data = 87 True 1
Fn
Read Value HKEY_CURRENT_USER\Software\34419-GRNPWA\ value_name = FR False 1
Fn
Read Value HKEY_CURRENT_USER\Software\34419-GRNPWA\ value_name = name, data = 180 False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders value_name = Cookies, data = 37 True 1
Fn
Write Value HKEY_CURRENT_USER\Software\34419-GRNPWA\ value_name = EXEpath, size = 116, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\Software\34419-GRNPWA\ value_name = WD, data = 2636, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\34419-GRNPWA\ value_name = EXEpath, size = 116, type = REG_BINARY True 2
Fn
Data
Write Value HKEY_CURRENT_USER\Software\34419-GRNPWA\ value_name = EXEpath, size = 116, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\Software\34419-GRNPWA\ value_name = FR, data = 1, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\34419-GRNPWA\ value_name = EXEpath, size = 116, type = REG_BINARY True 3
Fn
Data
Process (5)
+
Operation Process Additional Information Success Count Logfile
Create C:\Windows\system32\svchost.exe os_pid = 0xa6c, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE True 1
Fn
Create C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh" os_pid = 0xa90, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE True 1
Fn
Create C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\widfu" os_pid = 0xa98, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE True 1
Fn
Create C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl" os_pid = 0xaa0, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = SYNCHRONIZE True 1
Fn
Thread (12)
+
Operation Process Additional Information Success Count Logfile
Get Context c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe os_tid = 0xa64 True 1
Fn
Get Context c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe os_tid = 0xa88 True 1
Fn
Get Context c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe os_tid = 0xa88 True 1
Fn
Get Context c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe os_tid = 0xa88 True 1
Fn
Set Context c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe os_tid = 0xa64 True 1
Fn
Set Context c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe os_tid = 0xa88 True 1
Fn
Set Context c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe os_tid = 0xa88 True 1
Fn
Set Context c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe os_tid = 0xa88 True 1
Fn
Resume c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe os_tid = 0xa64 True 1
Fn
Resume c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe os_tid = 0xa88 True 1
Fn
Resume c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe os_tid = 0xa88 True 1
Fn
Resume c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe os_tid = 0xa88 True 1
Fn
Memory (29)
+
Operation Process Additional Information Success Count Logfile
Allocate C:\Windows\system32\svchost.exe address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 106496 True 1
Fn
Allocate C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh" address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 356352 True 1
Fn
Allocate C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\widfu" address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 147456 True 1
Fn
Allocate C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl" address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 122880 True 1
Fn
Read C:\Windows\system32\svchost.exe address = 0x7ffd7008, size = 4 True 1
Fn
Data
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh" address = 0x7ffdb008, size = 4 True 1
Fn
Data
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\widfu" address = 0x7ffdb008, size = 4 True 1
Fn
Data
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl" address = 0x7ffdb008, size = 4 True 1
Fn
Data
Write C:\Windows\system32\svchost.exe address = 0x400000, size = 4096 True 1
Fn
Data
Write C:\Windows\system32\svchost.exe address = 0x401000, size = 69632 True 1
Fn
Data
Write C:\Windows\system32\svchost.exe address = 0x412000, size = 24576 True 1
Fn
Data
Write C:\Windows\system32\svchost.exe address = 0x418000, size = 4096 True 1
Fn
Data
Write C:\Windows\system32\svchost.exe address = 0x419000, size = 4096 True 1
Fn
Data
Write C:\Windows\system32\svchost.exe address = 0x7ffd7008, size = 4 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh" address = 0x400000, size = 512 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh" address = 0x401000, size = 172032 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh" address = 0x455000, size = 3584 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh" address = 0x456000, size = 2048 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh" address = 0x7ffdb008, size = 4 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\widfu" address = 0x400000, size = 512 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\widfu" address = 0x401000, size = 54784 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\widfu" address = 0x422000, size = 3584 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\widfu" address = 0x423000, size = 4096 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\widfu" address = 0x7ffdb008, size = 4 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl" address = 0x400000, size = 512 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl" address = 0x401000, size = 44032 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl" address = 0x41c000, size = 3584 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl" address = 0x41d000, size = 4096 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl" address = 0x7ffdb008, size = 4 True 1
Fn
Data
Module (33)
+
Operation Module Additional Information Success Count Logfile
Load User32.dll base_address = 0x755a0000 True 1
Fn
Load kernel32.dll base_address = 0x769e0000 True 2
Fn
Load Psapi.dll base_address = 0x77100000 True 2
Fn
Get Handle c:\windows\system32\user32.dll base_address = 0x755a0000 True 1
Fn
Get Handle private_0x0000000000400000 base_address = 0x400000 True 3
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x769e0000 True 3
Fn
Get Handle c:\windows\system32\shell32.dll base_address = 0x75980000 True 1
Fn
Get Handle c:\windows\system32\ntdll.dll base_address = 0x76fc0000 True 4
Fn
Get Filename process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260 True 2
Fn
Get Address c:\windows\system32\user32.dll function = GetCursorInfo, address_out = 0x75604b31 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetLastInputInfo, address_out = 0x755b3834 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetConsoleWindow, address_out = 0x76a42787 True 1
Fn
Get Address c:\windows\system32\psapi.dll function = GetModuleFileNameExA, address_out = 0x771015bc True 1
Fn
Get Address c:\windows\system32\psapi.dll function = GetModuleFileNameExW, address_out = 0x771013f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GlobalMemoryStatusEx, address_out = 0x76a18a2b True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsWow64Process, address_out = 0x76a24785 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetComputerNameExW, address_out = 0x76a20f04 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = IsUserAnAdmin, address_out = 0x759d44f5 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetProcessDEPPolicy, address_out = 0x76a1602f True 1
Fn
Get Address c:\windows\system32\ntdll.dll function = NtUnmapViewOfSection, address_out = 0x770069b8 True 4
Fn
Keyboard (6)
+
Operation Additional Information Success Count Logfile
Get Info type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 True 1
Fn
Read virtual_key_code = VK_CAPITAL, result_out = 0 True 5
Fn
System (85)
+
Operation Additional Information Success Count Logfile
Get Computer Name result_out = cRh2YWu7, type = ComputerNameDnsHostname True 1
Fn
Get Clipboard format = 1 False 1
Fn
Sleep duration = 10000 milliseconds (10.000 seconds) True 2
Fn
Sleep duration = 500 milliseconds (0.500 seconds) True 11
Fn
Sleep duration = 1200000 milliseconds (1200.000 seconds) True 1
Fn
Sleep duration = 3000 milliseconds (3.000 seconds) True 7
Fn
Sleep duration = 2000 milliseconds (2.000 seconds) True 1
Fn
Sleep duration = 1000 milliseconds (1.000 seconds) True 36
Fn
Get Time type = Ticks, time = 58281 True 2
Fn
Get Time type = Ticks, time = 58359 True 2
Fn
Get Time type = Ticks, time = 58515 True 2
Fn
Get Time type = Ticks, time = 59607 True 1
Fn
Get Time type = Ticks, time = 60621 True 1
Fn
Get Time type = Ticks, time = 61635 True 1
Fn
Get Time type = Ticks, time = 62650 True 1
Fn
Get Time type = Ticks, time = 63664 True 1
Fn
Get Time type = Ticks, time = 64678 True 1
Fn
Get Time type = Ticks, time = 65692 True 1
Fn
Get Time type = Ticks, time = 66706 True 1
Fn
Get Time type = Ticks, time = 67720 True 1
Fn
Get Time type = Ticks, time = 68156 True 2
Fn
Get Time type = Ticks, time = 68734 True 1
Fn
Get Time type = Ticks, time = 69748 True 1
Fn
Get Time type = Ticks, time = 70762 True 1
Fn
Get Time type = Ticks, time = 71776 True 1
Fn
Get Time type = Ticks, time = 72790 True 1
Fn
Get Time type = Ticks, time = 73804 True 1
Fn
Get Time type = Ticks, time = 74818 True 1
Fn
Get Time type = Ticks, time = 75988 True 1
Fn
Mutex (3)
+
Operation Additional Information Success Count Logfile
Create mutex_name = 34419-GRNPWA True 1
Fn
Open mutex_name = Remcos_Mutex_Inj, desired_access = SYNCHRONIZE False 1
Fn
Open mutex_name = Mutex_RemWatchdog, desired_access = SYNCHRONIZE False 1
Fn
Network Behavior
DNS (2)
+
Operation Additional Information Success Count Logfile
Resolve Name host = jlux123.no-ip.biz False 1
Fn
Resolve Name host = jluxi.dynu.com, address_out = 185.62.188.68 True 1
Fn
TCP Sessions (3)
+
Information Value
Total Data Sent 0.77 KB (788 bytes)
Total Data Received 286.71 KB (293588 bytes)
Contacted Host Count 1
Contacted Hosts 185.62.188.68:1991
TCP Session #1
+
Information Value
Handle 0x18c
Address Family AF_UNSPEC
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 185.62.188.68
Remote Port 1991
Local Address 0.0.0.0
Local Port 1728
Data Sent 0.63 KB (641 bytes)
Data Received 0.15 KB (156 bytes)
Operations
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_UNSPEC, type = SOCK_STREAM True 1
Fn
Connect remote_address = 185.62.188.68, remote_port = 1991 True 1
Fn
Send flags = NO_FLAG_SET, size = 485, size_out = 485 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1000, size_out = 32 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1000, size_out = 45 True 1
Fn
Data
Send flags = NO_FLAG_SET, size = 78, size_out = 78 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1000, size_out = 47 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1000, size_out = 32 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1000 False 1
Fn
Send flags = NO_FLAG_SET, size = 78, size_out = 78 True 1
Fn
Data
TCP Session #2
+
Information Value
Handle 0x1b4
Address Family AF_UNSPEC
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 185.62.188.68
Remote Port 1991
Local Address 0.0.0.0
Local Port 1984
Data Sent 0.10 KB (99 bytes)
Data Received 286.55 KB (293432 bytes)
Operations
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_UNSPEC, type = SOCK_STREAM True 1
Fn
Connect remote_address = 185.62.188.68, remote_port = 1991 True 1
Fn
Send flags = NO_FLAG_SET, size = 42, size_out = 42 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1000, size_out = 1000 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65000, size_out = 4808 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65000, size_out = 65000 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65000, size_out = 3244 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65000, size_out = 65000 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65000, size_out = 340 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65000, size_out = 65000 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65000, size_out = 9052 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65000, size_out = 3752 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65000, size_out = 3508 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65000, size_out = 2904 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65000, size_out = 1452 True 2
Fn
Data
Receive flags = NO_FLAG_SET, size = 65000, size_out = 65000 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65000, size_out = 1920 True 1
Fn
Data
Send flags = NO_FLAG_SET, size = 57, size_out = 57 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
TCP Session #3
+
Information Value
Handle 0x1c8
Address Family AF_UNSPEC
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 185.62.188.68
Remote Port 1991
Local Address 0.0.0.0
Local Port 2240
Data Sent 0.05 KB (48 bytes)
Data Received 0.00 KB (0 bytes)
Operations
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_UNSPEC, type = SOCK_STREAM True 1
Fn
Connect remote_address = 185.62.188.68, remote_port = 1991 True 1
Fn
Send flags = NO_FLAG_SET, size = 48, size_out = 48 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
Process #5: svchost.exe
(Host: 19, Network: 0)
+
Information Value
ID #5
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe
Initial Working Directory C:\Users\EEBsYm5\AppData\Local\Temp\60484525\
Monitor Start Time: 00:00:20, Reason: Child Process
Unmonitor End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration 00:01:51
OS Process Information
+
Information Value
PID 0xa6c
Parent PID 0xa4c (c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Groups
  • CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000ebee (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A70
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False
private_0x0000000000050000 0x00050000 0x00050fff Private Memory Readable, Writable True False False
private_0x0000000000070000 0x00070000 0x0016ffff Private Memory Readable, Writable True False False
private_0x0000000000170000 0x00170000 0x001affff Private Memory Readable, Writable True False False
locale.nls 0x001b0000 0x00216fff Memory Mapped File Readable False False False
svchost.exe 0x002b0000 0x002b7fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x00000000002c0000 0x002c0000 0x00387fff Pagefile Backed Memory Readable True False False
private_0x00000000003b0000 0x003b0000 0x003bffff Private Memory Readable, Writable True False False
private_0x0000000000400000 0x00400000 0x00419fff Private Memory Readable, Writable, Executable True False False
pagefile_0x0000000000420000 0x00420000 0x00520fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000530000 0x00530000 0x0112ffff Pagefile Backed Memory Readable True False False
private_0x0000000001130000 0x01130000 0x0122ffff Private Memory Readable, Writable True False False
msvcp60.dll 0x6d750000 0x6d7b5fff Memory Mapped File Readable, Writable, Executable False False False
winmm.dll 0x6e3b0000 0x6e3e1fff Memory Mapped File Readable, Writable, Executable False False False
gdiplus.dll 0x73c30000 0x73dbffff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x75180000 0x7518bfff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x751c0000 0x752dcfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x752e0000 0x75329fff Memory Mapped File Readable, Writable, Executable False False False
urlmon.dll 0x75410000 0x75545fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x75550000 0x7559dfff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x755a0000 0x75668fff Memory Mapped File Readable, Writable, Executable False False False
ws2_32.dll 0x75670000 0x756a4fff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x756b0000 0x75706fff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x75710000 0x7572efff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x75730000 0x757fbfff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x75810000 0x7589efff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x75980000 0x765c9fff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x765d0000 0x765d5fff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x765e0000 0x7667cfff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x76680000 0x767dbfff Memory Mapped File Readable, Writable, Executable False False False
wininet.dll 0x76840000 0x76934fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x76940000 0x769dffff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x769e0000 0x76ab3fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x76ac0000 0x76b60fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x76d10000 0x76dbbfff Memory Mapped File Readable, Writable, Executable False False False
iertutil.dll 0x76dc0000 0x76fbafff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x76fc0000 0x770fbfff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x77110000 0x77128fff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x77160000 0x77169fff Memory Mapped File Readable, Writable, Executable False False False
apisetschema.dll 0x77200000 0x77200fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False
private_0x000000007ffd7000 0x7ffd7000 0x7ffd7fff Private Memory Readable, Writable True False False
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Modify Memory #4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0xa64 address = 0x400000, size = 4096 True 1
Fn
Data
Modify Memory #4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0xa64 address = 0x401000, size = 69632 True 1
Fn
Data
Modify Memory #4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0xa64 address = 0x412000, size = 24576 True 1
Fn
Data
Modify Memory #4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0xa64 address = 0x418000, size = 4096 True 1
Fn
Data
Modify Memory #4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0xa64 address = 0x419000, size = 4096 True 1
Fn
Data
Modify Memory #4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0xa64 address = 0x7ffd7008, size = 4 True 1
Fn
Data
Modify Control Flow #4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0xa64 os_tid = 0xa70, address = 0x77007098 True 1
Fn
Host Behavior
File (3)
+
Operation Filename Additional Information Success Count Logfile
Create C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe type = size True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe size = 45216, size_out = 45216 True 1
Fn
Data
Registry (6)
+
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\34419-GRNPWA\ True 2
Fn
Open Key HKEY_CURRENT_USER\Software\34419-GRNPWA\ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\34419-GRNPWA\ value_name = WD, data = 2636, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\34419-GRNPWA\ value_name = EXEpath, data = 169 True 1
Fn
Delete Value HKEY_CURRENT_USER\Software\34419-GRNPWA\ value_name = WD True 1
Fn
Process (1)
+
Operation Process Additional Information Success Count Logfile
Open c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe desired_access = SYNCHRONIZE True 1
Fn
Module (8)
+
Operation Module Additional Information Success Count Logfile
Load User32.dll base_address = 0x755a0000 True 1
Fn
Load kernel32.dll base_address = 0x769e0000 True 1
Fn
Get Handle c:\windows\system32\user32.dll base_address = 0x755a0000 True 1
Fn
Get Handle private_0x0000000000400000 base_address = 0x400000 True 1
Fn
Get Filename process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\system32\svchost.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetCursorInfo, address_out = 0x75604b31 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetLastInputInfo, address_out = 0x755b3834 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetConsoleWindow, address_out = 0x76a42787 True 1
Fn
Mutex (1)
+
Operation Additional Information Success Count Logfile
Create mutex_name = Mutex_RemWatchdog True 1
Fn
Process #6: regsvcs.exe
(Host: 1260, Network: 0)
+
Information Value
ID #6
File Name c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
Command Line C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh"
Initial Working Directory C:\Users\EEBsYm5\AppData\Local\Temp\60484525\
Monitor Start Time: 00:00:20, Reason: Child Process
Unmonitor End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration 00:01:51
OS Process Information
+
Information Value
PID 0xa90
Parent PID 0xa4c (c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Groups
  • CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000ebee (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A94
0x AB0
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x0012ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000130000 0x00130000 0x00133fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000140000 0x00140000 0x00140fff Pagefile Backed Memory Readable True False False
locale.nls 0x00150000 0x001b6fff Memory Mapped File Readable False False False
pagefile_0x00000000001c0000 0x001c0000 0x00287fff Pagefile Backed Memory Readable True False False
private_0x0000000000290000 0x00290000 0x00290fff Private Memory Readable, Writable True False False
private_0x00000000002a0000 0x002a0000 0x002affff Private Memory Readable, Writable True False False
private_0x00000000002b0000 0x002b0000 0x003affff Private Memory Readable, Writable True False False
pagefile_0x00000000003b0000 0x003b0000 0x003b0fff Pagefile Backed Memory Readable, Writable True False False
rsaenh.dll 0x003c0000 0x003fbfff Memory Mapped File Readable False False False
tzres.dll 0x003c0000 0x003c0fff Memory Mapped File Readable False False False
private_0x00000000003c0000 0x003c0000 0x003cffff Private Memory Readable, Writable True False False
pagefile_0x00000000003c0000 0x003c0000 0x003c6fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x00000000003d0000 0x003d0000 0x003d6fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000003e0000 0x003e0000 0x003e1fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x00000000003f0000 0x003f0000 0x003f6fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000400000 0x00400000 0x00456fff Private Memory Readable, Writable, Executable True False False
pagefile_0x0000000000460000 0x00460000 0x00560fff Pagefile Backed Memory Readable True False False
private_0x0000000000570000 0x00570000 0x005effff Private Memory Readable, Writable True False False
private_0x0000000000640000 0x00640000 0x0064ffff Private Memory Readable, Writable True False False
private_0x0000000000650000 0x00650000 0x0074ffff Private Memory Readable, Writable True False False
private_0x0000000000750000 0x00750000 0x00850fff Private Memory Readable, Writable True False False
private_0x0000000000750000 0x00750000 0x0081ffff Private Memory Readable, Writable True False False
regsvcs.exe 0x008e0000 0x008edfff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x00000000008f0000 0x008f0000 0x014effff Pagefile Backed Memory Readable True False False
sortdefault.nls 0x014f0000 0x017befff Memory Mapped File Readable False False False
private_0x0000000001820000 0x01820000 0x0191ffff Private Memory Readable, Writable True False False
nss3.dll 0x01920000 0x01ad1fff Memory Mapped File Readable False False False
private_0x0000000001920000 0x01920000 0x01a1ffff Private Memory Readable, Writable True False False
private_0x0000000001a20000 0x01a20000 0x01b1ffff Private Memory Readable, Writable True False False
private_0x0000000001b00000 0x01b00000 0x01bfffff Private Memory Readable, Writable True False False
pagefile_0x0000000001c00000 0x01c00000 0x01ff2fff Pagefile Backed Memory Readable True False False
nss3.dll 0x6ce40000 0x6cff4fff Memory Mapped File Readable, Writable, Executable False False False
freebl3.dll 0x6d0a0000 0x6d0eefff Memory Mapped File Readable, Writable, Executable False False False
freebl3.dll 0x6d0b0000 0x6d0fefff Memory Mapped File Readable, Writable, Executable False False False
softokn3.dll 0x6d0f0000 0x6d116fff Memory Mapped File Readable, Writable, Executable False False False
nssdbm3.dll 0x6d100000 0x6d116fff Memory Mapped File Readable, Writable, Executable False False False
softokn3.dll 0x6d120000 0x6d146fff Memory Mapped File Readable, Writable, Executable False False False
nssdbm3.dll 0x6d130000 0x6d146fff Memory Mapped File Readable, Writable, Executable False False False
msvcp100.dll 0x6d150000 0x6d1b8fff Memory Mapped File Readable, Writable, Executable False False False
mozglue.dll 0x6d590000 0x6d5b1fff Memory Mapped File Readable, Writable, Executable False False False
msvcr100.dll 0x6d5c0000 0x6d67dfff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x6d6c0000 0x6d743fff Memory Mapped File Readable, Writable, Executable False False False
wsock32.dll 0x6de40000 0x6de46fff Memory Mapped File Readable, Writable, Executable False False False
winmm.dll 0x6e3b0000 0x6e3e1fff Memory Mapped File Readable, Writable, Executable False False False
vaultcli.dll 0x6e640000 0x6e64bfff Memory Mapped File Readable, Writable, Executable False False False
pstorec.dll 0x72970000 0x7297cfff Memory Mapped File Readable, Writable, Executable False False False
atl.dll 0x73840000 0x73853fff Memory Mapped File Readable, Writable, Executable False False False
version.dll 0x74660000 0x74668fff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x749b0000 0x749eafff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x74c10000 0x74c25fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x75090000 0x7509bfff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x75180000 0x7518bfff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x751c0000 0x752dcfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x752e0000 0x75329fff Memory Mapped File Readable, Writable, Executable False False False
urlmon.dll 0x75410000 0x75545fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x75550000 0x7559dfff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x755a0000 0x75668fff Memory Mapped File Readable, Writable, Executable False False False
ws2_32.dll 0x75670000 0x756a4fff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x756b0000 0x75706fff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x75710000 0x7572efff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x75730000 0x757fbfff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x75810000 0x7589efff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x75980000 0x765c9fff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x765d0000 0x765d5fff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x765e0000 0x7667cfff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x76680000 0x767dbfff Memory Mapped File Readable, Writable, Executable False False False
wininet.dll 0x76840000 0x76934fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x76940000 0x769dffff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x769e0000 0x76ab3fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x76ac0000 0x76b60fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x76d10000 0x76dbbfff Memory Mapped File Readable, Writable, Executable False False False
iertutil.dll 0x76dc0000 0x76fbafff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x76fc0000 0x770fbfff Memory Mapped File Readable, Writable, Executable False False False
psapi.dll 0x77100000 0x77104fff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x77110000 0x77128fff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x77160000 0x77169fff Memory Mapped File Readable, Writable, Executable False False False
comdlg32.dll 0x77170000 0x771eafff Memory Mapped File Readable, Writable, Executable False False False
apisetschema.dll 0x77200000 0x77200fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory Readable, Writable True False False
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True False False
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Modify Memory #4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0xa88 address = 0x400000, size = 512 True 1
Fn
Data
Modify Memory #4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0xa88 address = 0x401000, size = 172032 True 1
Fn
Data
Modify Memory #4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0xa88 address = 0x455000, size = 3584 True 1
Fn
Data
Modify Memory #4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0xa88 address = 0x456000, size = 2048 True 1
Fn
Data
Modify Memory #4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0xa88 address = 0x7ffdb008, size = 4 True 1
Fn
Data
Modify Control Flow #4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0xa88 os_tid = 0xa94, address = 0x77007098 True 1
Fn
Created Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\eebsym5\appdata\local\temp\moqutzmqrxoadnrfihvxswbpaqgibrkh 0.00 KB (2 bytes) MD5: f3b25701fe362ec84616a93a45ce9998
SHA1: d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256: b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
False
Host Behavior
File (778)
+
Operation Filename Additional Information Success Count Logfile
Create C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070520170706\index.dat desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\places.sqlite desired_access = GENERIC_READ, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data desired_access = GENERIC_READ True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Login Data desired_access = GENERIC_READ True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Login Data desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs_lng.ini type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat type = size True 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat type = size True 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat type = size True 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070520170706\index.dat type = size True 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\WebCache\WebCacheV24.dat type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\history.dat type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\places.sqlite type = file_attributes True 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\places.sqlite type = time True 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\profiles.ini type = file_attributes True 1
Fn
Get Info C:\Program Files\Mozilla Firefox\nss3.dll type = file_attributes True 3
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\logins.json type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\signons.sqlite type = file_attributes True 1
Fn
Get Info C:\Program Files\Mozilla Firefox\sqlite3.dll type = file_attributes False 1
Fn
Get Info C:\Program Files\Mozilla Firefox\mozsqlite3.dll type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini type = file_attributes False 1
Fn
Get Info C:\Program Files\Sea Monkey\nss3.dll type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Crashpad\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data type = file_attributes True 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal type = file_attributes True 2
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data type = size, size_out = 0 True 5
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data-wal type = file_attributes False 2
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Login Data type = file_attributes True 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal type = file_attributes True 2
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Login Data type = size, size_out = 0 True 5
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Login Data-wal type = file_attributes False 2
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\EVWhitelist\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\EVWhitelist\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\OriginTrials\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\OriginTrials\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\PepperFlash\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\PepperFlash\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\pnacl\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\pnacl\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\SwiftShader\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\SwiftShader\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\SwReporter\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\SwReporter\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\WidevineCdm\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Apple Computer\Preferences\keychain.plist type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Opera\Opera\wand.dat type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Opera\Opera7\profile\wand.dat type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Opera Software\Opera Stable\Login Data type = file_attributes False 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat size = 32, size_out = 32 True 1
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat size = 8, size_out = 8 True 136
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat size = 256, size_out = 256 True 109
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat size = 384, size_out = 384 True 3
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat size = 32, size_out = 32 True 1
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat size = 8, size_out = 8 True 124
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat size = 256, size_out = 256 True 123
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat size = 384, size_out = 384 True 1
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat size = 32, size_out = 32 True 1
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat size = 8, size_out = 8 True 90
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat size = 256, size_out = 256 True 2
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat size = 384, size_out = 384 True 2
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070520170706\index.dat size = 32, size_out = 32 True 1
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070520170706\index.dat size = 8, size_out = 8 True 94
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070520170706\index.dat size = 256, size_out = 256 True 2
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data size = 100, size_out = 100 True 1
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data size = 2048, size_out = 2048 True 4
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data size = 16, size_out = 16 True 1
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Login Data size = 100, size_out = 100 True 1
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Login Data size = 2048, size_out = 2048 True 2
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Login Data size = 16, size_out = 16 True 1
Fn
Data
Write C:\Users\EEBsYm5\AppData\Local\Temp\moqutzmqrxoadnrfihvxswbpaqgibrkh size = 2 True 1
Fn
Data
Registry (29)
+
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\bin False 3
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin value_name = PathToExe, data = C:\Program Files\Mozilla Firefox\firefox.exe, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin value_name = PathToExe, data = C:\Program Files\Mozilla Firefox\firefox.exe, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin value_name = PathToExe, data = C:\Program Files\Mozilla Firefox\firefox.exe, type = REG_SZ True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla False 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla False 1
Fn
Process (48)
+
Operation Process Additional Information Success Count Logfile
Open System desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\smss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\wininit.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\services.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsass.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\winlogon.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\audiodg.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\spoolsv.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\dwm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\taskeng.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\program files\adobe\reader 10.0\reader\reader_sl.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\taskeng.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\program files\microsoft analysis services\ind-licenses-manual-nickel.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\conhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows photo viewer\pokemon_limousines_alternate.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\microsoft visual studio 8\salvation_sure_perspective_ranges.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\microsoft sync framework\possessionschooldeterminedgamma.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\common files\surfing.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\uninstall information\fred_delays.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows portable devices\voice-moore-yemen.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\google\north comp.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows journal\remote_costa_security.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows sidebar\demonstrate-brandon-pa.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows mail\dsc_meaning.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\mozilla maintenance service\medieval-ranges-san-delhi.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows journal\genderwriters.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\mozilla firefox\mileage-act.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows media player\variables except besides.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\microsoft sync framework\blind-ratio.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\mobsync.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Module (374)
+
Operation Module Additional Information Success Count Logfile
Load comctl32.dll base_address = 0x6d6c0000 True 1
Fn
Load shell32.dll base_address = 0x75980000 True 1
Fn
Load advapi32.dll base_address = 0x76940000 True 2
Fn
Load pstorec.dll base_address = 0x72970000 True 1
Fn
Load vaultcli.dll base_address = 0x6e640000 True 1
Fn
Load C:\Program Files\Mozilla Firefox\nss3.dll base_address = 0x6ce40000 True 1
Fn
Load psapi.dll base_address = 0x77100000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x769e0000 True 3
Fn
Get Handle c:\windows\system32\msvcrt.dll base_address = 0x76d10000 True 1
Fn
Get Handle c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll base_address = 0x6d6c0000 True 1
Fn
Get Handle c:\windows\system32\version.dll base_address = 0x74660000 True 1
Fn
Get Handle c:\windows\system32\wininet.dll base_address = 0x76840000 True 1
Fn
Get Handle c:\windows\system32\user32.dll base_address = 0x755a0000 True 1
Fn
Get Handle c:\windows\system32\gdi32.dll base_address = 0x75550000 True 1
Fn
Get Handle c:\windows\system32\comdlg32.dll base_address = 0x77170000 True 1
Fn
Get Handle c:\windows\system32\advapi32.dll base_address = 0x76940000 True 1
Fn
Get Handle c:\windows\system32\shell32.dll base_address = 0x75980000 True 1
Fn
Get Handle c:\windows\system32\ole32.dll base_address = 0x76680000 True 1
Fn
Get Handle private_0x0000000000400000 base_address = 0x400000 True 22
Fn
Get Handle C:\Program Files\Mozilla Firefox\nss3.dll base_address = 0x0 False 1
Fn
Get Handle c:\program files\mozilla firefox\nss3.dll base_address = 0x6ce40000 True 2
Fn
Get Filename process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260 True 2
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\windows\system32\taskhost.exe, file_name_orig = C:\Windows\system32\taskhost.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\windows\system32\dwm.exe, file_name_orig = C:\Windows\system32\Dwm.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\Explorer.EXE, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\program files\adobe\reader 10.0\reader\reader_sl.exe, file_name_orig = C:\Program Files\Adobe\Reader 10.0\Reader\reader_sl.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\windows\system32\taskeng.exe, file_name_orig = C:\Windows\system32\taskeng.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\program files\microsoft analysis services\ind-licenses-manual-nickel.exe, file_name_orig = C:\Program Files\Microsoft Analysis Services\ind-licenses-manual-nickel.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\windows\system32\conhost.exe, file_name_orig = C:\Program Files\Windows Mail\handed.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\program files\windows photo viewer\pokemon_limousines_alternate.exe, file_name_orig = C:\Program Files\Windows Photo Viewer\pokemon_limousines_alternate.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\program files\microsoft visual studio 8\salvation_sure_perspective_ranges.exe, file_name_orig = C:\Program Files\Microsoft Visual Studio 8\salvation_sure_perspective_ranges.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\program files\microsoft sync framework\possessionschooldeterminedgamma.exe, file_name_orig = C:\Program Files\Microsoft Sync Framework\possessionschooldeterminedgamma.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\program files\common files\surfing.exe, file_name_orig = C:\Program Files\Common Files\surfing.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\program files\uninstall information\fred_delays.exe, file_name_orig = C:\Program Files\Uninstall Information\fred_delays.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\program files\windows portable devices\voice-moore-yemen.exe, file_name_orig = C:\Program Files\Windows Portable Devices\voice-moore-yemen.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\program files\google\north comp.exe, file_name_orig = C:\Program Files\Google\north comp.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\program files\windows journal\remote_costa_security.exe, file_name_orig = C:\Program Files\Windows Journal\remote_costa_security.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\program files\windows sidebar\demonstrate-brandon-pa.exe, file_name_orig = C:\Program Files\Windows Sidebar\demonstrate-brandon-pa.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\program files\windows mail\dsc_meaning.exe, file_name_orig = C:\Program Files\Windows Mail\dsc_meaning.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\program files\mozilla maintenance service\medieval-ranges-san-delhi.exe, file_name_orig = C:\Program Files\Mozilla Maintenance Service\medieval-ranges-san-delhi.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\program files\windows journal\genderwriters.exe, file_name_orig = C:\Program Files\Windows Journal\genderwriters.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\program files\mozilla firefox\mileage-act.exe, file_name_orig = C:\Program Files\Mozilla Firefox\mileage-act.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\program files\windows media player\variables except besides.exe, file_name_orig = C:\Program Files\Windows Media Player\variables except besides.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\program files\microsoft sync framework\blind-ratio.exe, file_name_orig = C:\Program Files\Microsoft Sync Framework\blind-ratio.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\windows\system32\mobsync.exe, file_name_orig = C:\Windows\System32\mobsync.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\system32\svchost.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualProtect, address_out = 0x76a22341 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = __setusermatherr, address_out = 0x76da77ad True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _adjust_fdiv, address_out = 0x76db32ec True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = __p__commode, address_out = 0x76d227c3 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = __p__fmode, address_out = 0x76d227ce True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = wcscat, address_out = 0x76d90ea6 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = __set_app_type, address_out = 0x76d22804 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _controlfp, address_out = 0x76d1e1e1 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = realloc, address_out = 0x76d1b10d True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = qsort, address_out = 0x76d1d3e6 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _itow, address_out = 0x76d2019c True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _wcsupr, address_out = 0x76d1dac1 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _wcslwr, address_out = 0x76d1fb25 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strchr, address_out = 0x76d1dbeb True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _initterm, address_out = 0x76d1c151 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = wcsncmp, address_out = 0x76d1b05e True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = memmove, address_out = 0x76d19e5a True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = free, address_out = 0x76d19894 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = modf, address_out = 0x76d27551 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _memicmp, address_out = 0x76d206c8 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = wcstoul, address_out = 0x76d1b319 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = malloc, address_out = 0x76d19cee True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _XcptFilter, address_out = 0x76d3dc75 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strcpy, address_out = 0x76d28d6e True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _wtoi64, address_out = 0x76d2062e True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strcmp, address_out = 0x76d28b11 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = wcsrchr, address_out = 0x76d1a73f True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = __wgetmainargs, address_out = 0x76d24e7c True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _wcmdln, address_out = 0x76db04dc True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = exit, address_out = 0x76d236aa True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _strlwr, address_out = 0x76d2ca0b True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _cexit, address_out = 0x76d237d4 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _wcsnicmp, address_out = 0x76d1aae3 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = ??3@YAXPAX@Z, address_out = 0x76d1b0b9 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = ??2@YAPAXI@Z, address_out = 0x76d1b0c9 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = memcmp, address_out = 0x76d27975 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = wcscmp, address_out = 0x76d2d3b7 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = abs, address_out = 0x76d3eb1e True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = log, address_out = 0x76d3de50 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _purecall, address_out = 0x76d76ea9 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = wcslen, address_out = 0x76d2d335 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _wtoi, address_out = 0x76d1c823 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _wcsicmp, address_out = 0x76d1a9e9 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = wcschr, address_out = 0x76d1aa61 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = memcpy, address_out = 0x76d19910 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = wcscpy, address_out = 0x76d2d4f8 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = memset, address_out = 0x76d19790 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strlen, address_out = 0x76d243d3 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = wcsncat, address_out = 0x76d90ed9 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _snwprintf, address_out = 0x76d395d1 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _except_handler3, address_out = 0x76d3d770 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _exit, address_out = 0x76d7b2c0 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _c_exit, address_out = 0x76d7b2db True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _onexit, address_out = 0x76d2112d True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = __dllonexit, address_out = 0x76d1f509 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = memchr, address_out = 0x76d2e134 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _gmtime64, address_out = 0x76d92936 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strftime, address_out = 0x76d91fd5 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = 17, address_out = 0x6d6c1739 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = ImageList_AddMasked, address_out = 0x6d6c8b75 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = ImageList_SetImageCount, address_out = 0x6d726e17 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = ImageList_Create, address_out = 0x6d6c908c True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = ImageList_ReplaceIcon, address_out = 0x6d726ea3 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = CreateToolbarEx, address_out = 0x6d6ea4d5 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = CreateStatusWindowW, address_out = 0x6d6ea10f True 1
Fn
Get Address c:\windows\system32\version.dll function = GetFileVersionInfoSizeW, address_out = 0x746619d9 True 1
Fn
Get Address c:\windows\system32\version.dll function = GetFileVersionInfoW, address_out = 0x746619f4 True 1
Fn
Get Address c:\windows\system32\version.dll function = VerQueryValueW, address_out = 0x74661b51 True 1
Fn
Get Address c:\windows\system32\wininet.dll function = FindCloseUrlCache, address_out = 0x76888409 True 1
Fn
Get Address c:\windows\system32\wininet.dll function = FindNextUrlCacheEntryW, address_out = 0x7687989c True 1
Fn
Get Address c:\windows\system32\wininet.dll function = FindFirstUrlCacheEntryW, address_out = 0x7687978a True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFullPathNameA, address_out = 0x76a33735 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = DeleteFileA, address_out = 0x76a247cb True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetDiskFreeSpaceW, address_out = 0x76a13530 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFullPathNameW, address_out = 0x76a34543 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = AreFileApisANSI, address_out = 0x76a6f311 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = EnterCriticalSection, address_out = 0x770077a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetSystemTime, address_out = 0x76a2ced8 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LockFileEx, address_out = 0x76a4692f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FormatMessageA, address_out = 0x76a48868 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x76a32fde True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = UnlockFileEx, address_out = 0x76a46947 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTickCount, address_out = 0x76a2ba60 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LockFile, address_out = 0x76a4642f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlushFileBuffers, address_out = 0x76a17f81 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = InitializeCriticalSection, address_out = 0x7701a149 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileA, address_out = 0x76a2cee8 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetDiskFreeSpaceA, address_out = 0x76a3d7d2 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Sleep, address_out = 0x76a2ba46 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleHandleA, address_out = 0x76a2cf41 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetStartupInfoW, address_out = 0x76a33891 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTempPathA, address_out = 0x76a46a65 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = UnlockFile, address_out = 0x76a46417 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = InterlockedCompareExchange, address_out = 0x76a2bb92 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = DeleteCriticalSection, address_out = 0x77019ac5 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesExW, address_out = 0x76a2273d True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = QueryPerformanceCounter, address_out = 0x76a2bb9f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesA, address_out = 0x76a31de6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LeaveCriticalSection, address_out = 0x77007760 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetEndOfFile, address_out = 0x76a22319 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetSystemInfo, address_out = 0x76a33728 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = EnumResourceTypesW, address_out = 0x76a42b37 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LocalFree, address_out = 0x76a2ca64 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSize, address_out = 0x76a20273 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SystemTimeToFileTime, address_out = 0x76a2cecb True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseHandle, address_out = 0x76a2ca7c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FileTimeToLocalFileTime, address_out = 0x76a32004 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = DeleteFileW, address_out = 0x76a20f62 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileW, address_out = 0x76a167c3 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileW, address_out = 0x76a2cc56 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CompareFileTime, address_out = 0x76a313f3 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeLibrary, address_out = 0x76a2d9d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadLibraryW, address_out = 0x76a33c01 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetProcAddress, address_out = 0x76a333d3 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLastError, address_out = 0x76a2bf00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FileTimeToSystemTime, address_out = 0x76a31dfe True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointerEx, address_out = 0x76a1f5b2 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentDirectoryW, address_out = 0x76a3c13a True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ExpandEnvironmentStringsW, address_out = 0x76a24680 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WideCharToMultiByte, address_out = 0x76a3450e True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = MultiByteToWideChar, address_out = 0x76a3452b True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GlobalLock, address_out = 0x76a29e05 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetDateFormatW, address_out = 0x76a2afab True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileTime, address_out = 0x76a20f6f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FormatMessageW, address_out = 0x76a254a3 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTempFileNameW, address_out = 0x76a16d1d True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetVersionExW, address_out = 0x76a23b1a True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindClose, address_out = 0x76a30e62 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindFirstFileW, address_out = 0x76a353b2 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleHandleW, address_out = 0x76a3374d True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTimeFormatW, address_out = 0x76a2ac29 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointer, address_out = 0x76a2db36 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesW, address_out = 0x76a364ff True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetWindowsDirectoryW, address_out = 0x76a204b6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ReadFile, address_out = 0x76a296fb True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameW, address_out = 0x76a33c26 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WriteFile, address_out = 0x76a31400 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindResourceW, address_out = 0x76a23e61 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LockResource, address_out = 0x76a1fd29 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = lstrcpyW, address_out = 0x76a18bfa True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = lstrlenW, address_out = 0x76a2d9e8 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadResource, address_out = 0x76a2984d True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SystemTimeToTzSpecificLocalTime, address_out = 0x76a1b149 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadLibraryExW, address_out = 0x76a24775 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GlobalAlloc, address_out = 0x76a29ce1 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GlobalUnlock, address_out = 0x76a29d50 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTempPathW, address_out = 0x76a18b33 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindNextFileW, address_out = 0x76a2963a True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SizeofResource, address_out = 0x76a23e7f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileMappingW, address_out = 0x76a20a7f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = MapViewOfFile, address_out = 0x76a2899b True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = UnmapViewOfFile, address_out = 0x76a2db13 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentProcess, address_out = 0x76a2cdcf True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = DuplicateHandle, address_out = 0x76a2cdd9 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentProcessId, address_out = 0x76a2cac4 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = OpenProcess, address_out = 0x76a259d7 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetPrivateProfileStringW, address_out = 0x76a17d32 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WritePrivateProfileStringW, address_out = 0x76a180eb True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetPrivateProfileIntW, address_out = 0x76a1775f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = EnumResourceNamesW, address_out = 0x76a47e29 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetStdHandle, address_out = 0x76a31e46 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetErrorMode, address_out = 0x76a34a51 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ExitProcess, address_out = 0x76a3214f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ReadProcessMemory, address_out = 0x76a1c1ce True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetCurrentDirectoryW, address_out = 0x76a37663 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Process32FirstW, address_out = 0x76a1fa35 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Process32NextW, address_out = 0x76a1faca True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x76a1f731 True 1
Fn
Get Address c:\windows\system32\user32.dll function = DispatchMessageW, address_out = 0x755bcc61 True 1
Fn
Get Address c:\windows\system32\user32.dll function = BeginDeferWindowPos, address_out = 0x755aa6a6 True 1
Fn
Get Address c:\windows\system32\user32.dll function = TranslateMessage, address_out = 0x755b64c7 True 1
Fn
Get Address c:\windows\system32\user32.dll function = IsDialogMessageW, address_out = 0x755b4104 True 1
Fn
Get Address c:\windows\system32\user32.dll function = DrawTextExW, address_out = 0x755b5894 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetMessageW, address_out = 0x755bcde8 True 1
Fn
Get Address c:\windows\system32\user32.dll function = PostQuitMessage, address_out = 0x755ab308 True 1
Fn
Get Address c:\windows\system32\user32.dll function = TrackPopupMenu, address_out = 0x755c2228 True 1
Fn
Get Address c:\windows\system32\user32.dll function = RegisterWindowMessageW, address_out = 0x755adf8d True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetKeyState, address_out = 0x755b2b4d True 1
Fn
Get Address c:\windows\system32\user32.dll function = EndDeferWindowPos, address_out = 0x755aa67a True 1
Fn
Get Address c:\windows\system32\user32.dll function = DialogBoxParamW, address_out = 0x755c3b9b True 1
Fn
Get Address c:\windows\system32\user32.dll function = ChildWindowFromPoint, address_out = 0x755eb6aa True 1
Fn
Get Address c:\windows\system32\user32.dll function = LoadCursorW, address_out = 0x755aed90 True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetCursor, address_out = 0x755b3075 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetSysColorBrush, address_out = 0x755af1ed True 1
Fn
Get Address c:\windows\system32\user32.dll function = ShowWindow, address_out = 0x755af2a9 True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetWindowTextW, address_out = 0x755b612b True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetDlgItemInt, address_out = 0x755cec2e True 1
Fn
Get Address c:\windows\system32\user32.dll function = UpdateWindow, address_out = 0x755affa8 True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetDlgItemTextW, address_out = 0x755cebd4 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetDlgItemTextW, address_out = 0x755cecbc True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetClientRect, address_out = 0x755b54dd True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetSystemMetrics, address_out = 0x755b67cf True 1
Fn
Get Address c:\windows\system32\user32.dll function = DeferWindowPos, address_out = 0x755aa6c8 True 1
Fn
Get Address c:\windows\system32\user32.dll function = CreateWindowExW, address_out = 0x755aec7c True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetWindowRect, address_out = 0x755b558c True 1
Fn
Get Address c:\windows\system32\user32.dll function = SendDlgItemMessageW, address_out = 0x755c70d8 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetDlgItemInt, address_out = 0x755ced56 True 1
Fn
Get Address c:\windows\system32\user32.dll function = EndDialog, address_out = 0x755d3ba3 True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetWindowLongW, address_out = 0x755b4449 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetDlgItem, address_out = 0x755d42bb True 1
Fn
Get Address c:\windows\system32\user32.dll function = InvalidateRect, address_out = 0x755b566d True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetWindowPlacement, address_out = 0x755d69de True 1
Fn
Get Address c:\windows\system32\user32.dll function = LoadAcceleratorsW, address_out = 0x755a976d True 1
Fn
Get Address c:\windows\system32\user32.dll function = DefWindowProcW, address_out = 0x755b507d True 1
Fn
Get Address c:\windows\system32\user32.dll function = SendMessageW, address_out = 0x755b5539 True 1
Fn
Get Address c:\windows\system32\user32.dll function = PostMessageW, address_out = 0x755b447b True 1
Fn
Get Address c:\windows\system32\user32.dll function = RegisterClassW, address_out = 0x755aed4a True 1
Fn
Get Address c:\windows\system32\user32.dll function = MessageBoxW, address_out = 0x755fea5f True 1
Fn
Get Address c:\windows\system32\user32.dll function = TranslateAcceleratorW, address_out = 0x755b667e True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetMenu, address_out = 0x755d6b0e True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetWindowPlacement, address_out = 0x755a7f78 True 1
Fn
Get Address c:\windows\system32\user32.dll function = LoadImageW, address_out = 0x755b12eb True 1
Fn
Get Address c:\windows\system32\user32.dll function = LoadIconW, address_out = 0x755af142 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetWindowLongW, address_out = 0x755b61b8 True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetFocus, address_out = 0x755aabad True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetMenuStringW, address_out = 0x755d6528 True 1
Fn
Get Address c:\windows\system32\user32.dll function = CheckMenuItem, address_out = 0x755cee7c True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetMenuItemCount, address_out = 0x755aae39 True 1
Fn
Get Address c:\windows\system32\user32.dll function = CheckMenuRadioItem, address_out = 0x755c25df True 1
Fn
Get Address c:\windows\system32\user32.dll function = CloseClipboard, address_out = 0x755d446c True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetCursorPos, address_out = 0x755aa4b3 True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetClipboardData, address_out = 0x755c2962 True 1
Fn
Get Address c:\windows\system32\user32.dll function = EnableWindow, address_out = 0x755a8d02 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetSysColor, address_out = 0x755bdb7a True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetParent, address_out = 0x755b6029 True 1
Fn
Get Address c:\windows\system32\user32.dll function = MapWindowPoints, address_out = 0x755b5caa True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetMenu, address_out = 0x755d6b68 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetDC, address_out = 0x755b544c True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetSubMenu, address_out = 0x755a9c19 True 1
Fn
Get Address c:\windows\system32\user32.dll function = EmptyClipboard, address_out = 0x755c290c True 1
Fn
Get Address c:\windows\system32\user32.dll function = EnableMenuItem, address_out = 0x755d43bc True 1
Fn
Get Address c:\windows\system32\user32.dll function = ReleaseDC, address_out = 0x755b5421 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetClassNameW, address_out = 0x755b2a29 True 1
Fn
Get Address c:\windows\system32\user32.dll function = OpenClipboard, address_out = 0x755d447e True 1
Fn
Get Address c:\windows\system32\user32.dll function = MoveWindow, address_out = 0x755a8d29 True 1
Fn
Get Address c:\windows\system32\user32.dll function = CreateDialogParamW, address_out = 0x755d5630 True 1
Fn
Get Address c:\windows\system32\user32.dll function = EnumChildWindows, address_out = 0x755b2948 True 1
Fn
Get Address c:\windows\system32\user32.dll function = LoadStringW, address_out = 0x755adfba True 1
Fn
Get Address c:\windows\system32\user32.dll function = DestroyWindow, address_out = 0x755ab2f4 True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetWindowPos, address_out = 0x755b1bc4 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetWindowTextW, address_out = 0x755ab8c5 True 1
Fn
Get Address c:\windows\system32\user32.dll function = LoadMenuW, address_out = 0x755af214 True 1
Fn
Get Address c:\windows\system32\user32.dll function = ModifyMenuW, address_out = 0x755d46c7 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetMenuItemInfoW, address_out = 0x755aaefa True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetDlgCtrlID, address_out = 0x755ab4e8 True 1
Fn
Get Address c:\windows\system32\user32.dll function = DestroyMenu, address_out = 0x755a87f7 True 1
Fn
Get Address c:\windows\system32\gdi32.dll function = SetBkColor, address_out = 0x75556a3c True 1
Fn
Get Address c:\windows\system32\gdi32.dll function = SelectObject, address_out = 0x75556640 True 1
Fn
Get Address c:\windows\system32\gdi32.dll function = GetDeviceCaps, address_out = 0x75556f7f True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = InitCommonControlsEx, address_out = 0x6d6c6be6 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = SHGetSpecialFolderPathW, address_out = 0x759a0468 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptAcquireContextA, address_out = 0x769491dd True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptReleaseContext, address_out = 0x7694e124 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptCreateHash, address_out = 0x7694df4e True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptGetHashParam, address_out = 0x7694df7e True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptHashData, address_out = 0x7694df36 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDestroyHash, address_out = 0x7694df66 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CredReadA, address_out = 0x769871c1 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CredFree, address_out = 0x7694b2ec True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CredDeleteA, address_out = 0x76987941 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CredEnumerateA, address_out = 0x76987381 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CredEnumerateW, address_out = 0x76987481 True 1
Fn
Get Address c:\windows\system32\pstorec.dll function = PStoreCreateInstance, address_out = 0x7297526c True 1
Fn
Get Address c:\windows\system32\vaultcli.dll function = VaultOpenVault, address_out = 0x6e6426a9 True 1
Fn
Get Address c:\windows\system32\vaultcli.dll function = VaultCloseVault, address_out = 0x6e642718 True 1
Fn
Get Address c:\windows\system32\vaultcli.dll function = VaultEnumerateItems, address_out = 0x6e643099 True 1
Fn
Get Address c:\windows\system32\vaultcli.dll function = VaultFree, address_out = 0x6e644321 True 1
Fn
Get Address c:\windows\system32\vaultcli.dll function = VaultGetInformation, address_out = 0x6e6424c0 True 1
Fn
Get Address c:\windows\system32\vaultcli.dll function = VaultGetItem, address_out = 0x6e643242 True 2
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = NSS_Init, address_out = 0x6cefd70b True 2
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = NSS_Shutdown, address_out = 0x6cefd13c True 2
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = PK11_GetInternalKeySlot, address_out = 0x6ce93c51 True 2
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = PK11_FreeSlot, address_out = 0x6ce93333 True 2
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = PK11_CheckUserPassword, address_out = 0x6ce7cbc4 True 2
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = PK11_Authenticate, address_out = 0x6ce7d3ca True 2
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = PK11SDR_Decrypt, address_out = 0x6ce900a7 True 2
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = sqlite3_open, address_out = 0x6cfa1ca0 True 1
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = sqlite3_prepare, address_out = 0x6cf2ce70 True 1
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = sqlite3_step, address_out = 0x6cf95200 True 1
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = sqlite3_column_text, address_out = 0x6cf4d400 True 1
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = sqlite3_column_int, address_out = 0x6cf4d3a0 True 1
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = sqlite3_column_int64, address_out = 0x6cf4d3d0 True 1
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = sqlite3_finalize, address_out = 0x6cf79f60 True 1
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = sqlite3_close, address_out = 0x6cf7bde0 True 1
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = sqlite3_exec, address_out = 0x6cf7a270 True 1
Fn
Get Address c:\windows\system32\psapi.dll function = GetModuleBaseNameW, address_out = 0x7710152c True 1
Fn
Get Address c:\windows\system32\psapi.dll function = EnumProcessModules, address_out = 0x77101408 True 1
Fn
Get Address c:\windows\system32\psapi.dll function = GetModuleFileNameExW, address_out = 0x771013f0 True 1
Fn
Get Address c:\windows\system32\psapi.dll function = EnumProcesses, address_out = 0x77101544 True 1
Fn
Get Address c:\windows\system32\psapi.dll function = GetModuleInformation, address_out = 0x77101420 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetProcessTimes, address_out = 0x76a1f626 True 1
Fn
System (3)
+
Operation Additional Information Success Count Logfile
Get Info type = Operating System False 2
Fn
Get Info type = Hardware Information True 1
Fn
Ini (28)
+
Operation Filename Additional Information Success Count Logfile
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = ShowGridLines, default_value = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = SaveFilterIndex, default_value = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = ShowInfoTip, default_value = 1 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = MarkOddEvenRows, default_value = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = ShowTimeInGMT, default_value = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = LoadPasswordsIE, default_value = 1 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = LoadPasswordsFirefox, default_value = 1 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = LoadPasswordsChrome, default_value = 1 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = LoadPasswordsOpera, default_value = 1 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = LoadPasswordsSafari, default_value = 1 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = LoadPasswordsSeaMonkey, default_value = 1 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = LoadPasswordsYandex, default_value = 1 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = UseFirefoxProfileFolder, default_value = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = UseFirefoxInstallFolder, default_value = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = UseChromeProfileFolder, default_value = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = UseOperaPasswordFile, default_value = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = FirefoxProfileFolder False 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = FirefoxInstallFolder False 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = ChromeProfileFolder False 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = OperaPasswordFile False 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = SaveFileEncoeding, default_value = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = WinPos False 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = Columns False 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = Sort, default_value = 0 True 1
Fn
Read C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\profiles.ini section_name = Profile0, key_name = Path, data_out = Profiles/h231daer.default True 1
Fn
Read C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\profiles.ini section_name = Profile0, key_name = IsRelative, default_value = 0 True 1
Fn
Read C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\profiles.ini section_name = Profile1, key_name = Path False 1
Fn
Read C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\profiles.ini section_name = Profile1, key_name = IsRelative, default_value = 0 True 1
Fn
Process #7: regsvcs.exe
(Host: 340, Network: 0)
+
Information Value
ID #7
File Name c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
Command Line C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\widfu"
Initial Working Directory C:\Users\EEBsYm5\AppData\Local\Temp\60484525\
Monitor Start Time: 00:00:20, Reason: Child Process
Unmonitor End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration 00:01:51
OS Process Information
+
Information Value
PID 0xa98
Parent PID 0xa4c (c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Groups
  • CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000ebee (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A9C
0x AA8
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory Readable, Writable True False False
private_0x00000000000d0000 0x000d0000 0x001cffff Private Memory Readable, Writable True False False
private_0x00000000001d0000 0x001d0000 0x002cffff Private Memory Readable, Writable True False False
pagefile_0x00000000002d0000 0x002d0000 0x00397fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000003a0000 0x003a0000 0x003a0fff Pagefile Backed Memory Readable, Writable True False False
private_0x00000000003b0000 0x003b0000 0x003cffff Private Memory Readable, Writable True False False
tzres.dll 0x003b0000 0x003b0fff Memory Mapped File Readable False False False
private_0x00000000003c0000 0x003c0000 0x003cffff Private Memory Readable, Writable True False False
pagefile_0x00000000003d0000 0x003d0000 0x003d6fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000003e0000 0x003e0000 0x003e1fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000400000 0x00400000 0x00423fff Private Memory Readable, Writable, Executable True False False
pagefile_0x0000000000430000 0x00430000 0x00530fff Pagefile Backed Memory Readable True False False
private_0x0000000000570000 0x00570000 0x0057ffff Private Memory Readable, Writable True False False
private_0x0000000000580000 0x00580000 0x0067ffff Private Memory Readable, Writable True False False
rsaenh.dll 0x00680000 0x006bbfff Memory Mapped File Readable False False False
private_0x0000000000730000 0x00730000 0x0073ffff Private Memory Readable, Writable True False False
private_0x0000000000740000 0x00740000 0x0083ffff Private Memory Readable, Writable True False False
regsvcs.exe 0x008e0000 0x008edfff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x00000000008f0000 0x008f0000 0x014effff Pagefile Backed Memory Readable True False False
private_0x0000000001500000 0x01500000 0x015fffff Private Memory Readable, Writable True False False
sortdefault.nls 0x01600000 0x018cefff Memory Mapped File Readable False False False
private_0x00000000018d0000 0x018d0000 0x01aeffff Private Memory Readable, Writable True True False
private_0x00000000018d0000 0x018d0000 0x019cffff Private Memory Readable, Writable True False False
private_0x0000000001900000 0x01900000 0x019fffff Private Memory Readable, Writable True False False
private_0x0000000001ab0000 0x01ab0000 0x01aeffff Private Memory Readable, Writable True False False
pagefile_0x0000000001af0000 0x01af0000 0x01ee2fff Pagefile Backed Memory Readable True False False
msvcp100.dll 0x6ced0000 0x6cf38fff Memory Mapped File Readable, Writable, Executable False False False
msvcr100.dll 0x6cf40000 0x6cffdfff Memory Mapped File Readable, Writable, Executable False False False
nss3.dll 0x6d000000 0x6d1b4fff Memory Mapped File Readable, Writable, Executable False False False
freebl3.dll 0x6d5b0000 0x6d5fefff Memory Mapped File Readable, Writable, Executable False False False
nssdbm3.dll 0x6d600000 0x6d616fff Memory Mapped File Readable, Writable, Executable False False False
softokn3.dll 0x6d620000 0x6d646fff Memory Mapped File Readable, Writable, Executable False False False
mozglue.dll 0x6d650000 0x6d671fff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x6d6c0000 0x6d743fff Memory Mapped File Readable, Writable, Executable False False False
winmm.dll 0x6e3b0000 0x6e3e1fff Memory Mapped File Readable, Writable, Executable False False False
wsock32.dll 0x72980000 0x72986fff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x749b0000 0x749eafff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x74c10000 0x74c25fff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x75070000 0x7508afff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x75090000 0x7509bfff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x75180000 0x7518bfff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x751c0000 0x752dcfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x752e0000 0x75329fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x75550000 0x7559dfff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x755a0000 0x75668fff Memory Mapped File Readable, Writable, Executable False False False
ws2_32.dll 0x75670000 0x756a4fff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x756b0000 0x75706fff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x75710000 0x7572efff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x75730000 0x757fbfff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x75980000 0x765c9fff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x765d0000 0x765d5fff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x765e0000 0x7667cfff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x76680000 0x767dbfff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x76940000 0x769dffff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x769e0000 0x76ab3fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x76ac0000 0x76b60fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x76d10000 0x76dbbfff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x76fc0000 0x770fbfff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x77110000 0x77128fff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x77160000 0x77169fff Memory Mapped File Readable, Writable, Executable False False False
comdlg32.dll 0x77170000 0x771eafff Memory Mapped File Readable, Writable, Executable False False False
apisetschema.dll 0x77200000 0x77200fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory Readable, Writable True False False
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True False False
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Modify Memory #4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0xa88 address = 0x400000, size = 512 True 1
Fn
Data
Modify Memory #4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0xa88 address = 0x401000, size = 54784 True 1
Fn
Data
Modify Memory #4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0xa88 address = 0x422000, size = 3584 True 1
Fn
Data
Modify Memory #4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0xa88 address = 0x423000, size = 4096 True 1
Fn
Data
Modify Memory #4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0xa88 address = 0x7ffdb008, size = 4 True 1
Fn
Data
Modify Control Flow #4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0xa88 os_tid = 0xa9c, address = 0x77007098 True 1
Fn
Created Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\eebsym5\appdata\local\temp\widfu 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
Host Behavior
File (19)
+
Operation Filename Additional Information Success Count Logfile
Create C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\places.sqlite desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Temp\widfu desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs_lng.ini type = file_attributes False 1
Fn
Get Info trillian type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Trillian\users\global type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Profiles type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\.gaim type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\.purple type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Miranda type = file_attributes False 1
Fn
Get Info type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\MySpace\IM\users.txt type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Digsby\digsby.dat type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\history.dat type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\places.sqlite type = file_attributes True 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\places.sqlite type = time True 1
Fn
Get Info C:\Program Files\Mozilla Firefox\nss3.dll type = file_attributes True 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\signons.txt type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\signons2.txt type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\signons3.txt type = file_attributes False 1
Fn
Registry (28)
+
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Miranda False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\MessengerService False 3
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL False 1
Fn
Open Key HKEY_CURRENT_USER\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users False 1
Fn
Open Key HKEY_CURRENT_USER\Software\America Online\AIM6\Passwords False 1
Fn
Open Key HKEY_CURRENT_USER\Software\AIM\AIMPRO False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Yahoo\Pager False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mirabilis\ICQ\NewOwners False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Mirabilis\ICQ\NewOwners False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Paltalk False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\bin False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion value_name = ProgramFilesDir, data = C:\Program Files, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin value_name = PathToExe, data = C:\Program Files\Mozilla Firefox\firefox.exe, type = REG_SZ True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla False 1
Fn
Module (272)
+
Operation Module Additional Information Success Count Logfile
Load comctl32.dll base_address = 0x6d6c0000 True 1
Fn
Load shell32.dll base_address = 0x75980000 True 1
Fn
Load advapi32.dll base_address = 0x76940000 True 4
Fn
Load crypt32.dll base_address = 0x751c0000 True 1
Fn
Load C:\Program Files\Mozilla Firefox\nss3.dll base_address = 0x6d000000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x769e0000 True 3
Fn
Get Handle c:\windows\system32\msvcrt.dll base_address = 0x76d10000 True 1
Fn
Get Handle c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll base_address = 0x6d6c0000 True 1
Fn
Get Handle c:\windows\system32\user32.dll base_address = 0x755a0000 True 1
Fn
Get Handle c:\windows\system32\gdi32.dll base_address = 0x75550000 True 1
Fn
Get Handle c:\windows\system32\comdlg32.dll base_address = 0x77170000 True 1
Fn
Get Handle c:\windows\system32\advapi32.dll base_address = 0x76940000 True 1
Fn
Get Handle c:\windows\system32\shell32.dll base_address = 0x75980000 True 1
Fn
Get Handle c:\windows\system32\ole32.dll base_address = 0x76680000 True 1
Fn
Get Handle private_0x0000000000400000 base_address = 0x400000 True 2
Fn
Get Filename process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260 True 2
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualProtect, address_out = 0x76a22341 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = free, address_out = 0x76d19894 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _strlwr, address_out = 0x76d2ca0b True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _strupr, address_out = 0x76d2d49e True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _wcslwr, address_out = 0x76d1fb25 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = qsort, address_out = 0x76d1d3e6 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _wcsnicmp, address_out = 0x76d1aae3 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strncmp, address_out = 0x76d1b443 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = __dllonexit, address_out = 0x76d1f509 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _onexit, address_out = 0x76d2112d True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _c_exit, address_out = 0x76d7b2db True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _exit, address_out = 0x76d7b2c0 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _XcptFilter, address_out = 0x76d3dc75 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _cexit, address_out = 0x76d237d4 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = exit, address_out = 0x76d236aa True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _acmdln, address_out = 0x76db04d8 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strrchr, address_out = 0x76d1dbae True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _initterm, address_out = 0x76d1c151 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = __setusermatherr, address_out = 0x76da77ad True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strchr, address_out = 0x76d1dbeb True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _ultoa, address_out = 0x76d61822 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = malloc, address_out = 0x76d19cee True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _memicmp, address_out = 0x76d206c8 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strcmp, address_out = 0x76d28b11 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _mbsnbicmp, address_out = 0x76d73480 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _mbsrchr, address_out = 0x76d28e5b True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _snprintf, address_out = 0x76d3fa7c True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = memset, address_out = 0x76d19790 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _strnicmp, address_out = 0x76d20578 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = wcschr, address_out = 0x76d1aa61 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = wcsncmp, address_out = 0x76d1b05e True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = wcslen, address_out = 0x76d2d335 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = abs, address_out = 0x76d3eb1e True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = sprintf, address_out = 0x76d2d354 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = atoi, address_out = 0x76d1dbe0 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = memcmp, address_out = 0x76d27975 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = __getmainargs, address_out = 0x76d22bc0 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _strcmpi, address_out = 0x76d1db38 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _mbsicmp, address_out = 0x76d29238 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _purecall, address_out = 0x76d76ea9 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = log, address_out = 0x76d3de50 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _mbscmp, address_out = 0x76d383c0 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = ??2@YAPAXI@Z, address_out = 0x76d1b0c9 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = ??3@YAXPAX@Z, address_out = 0x76d1b0b9 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strlen, address_out = 0x76d243d3 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _itoa, address_out = 0x76d34218 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strcpy, address_out = 0x76d28d6e True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strtoul, address_out = 0x76d2012e True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = memcpy, address_out = 0x76d19910 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = wcscpy, address_out = 0x76d2d4f8 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strcat, address_out = 0x76d28d75 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strncat, address_out = 0x76d40909 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _adjust_fdiv, address_out = 0x76db32ec True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = __p__commode, address_out = 0x76d227c3 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = __p__fmode, address_out = 0x76d227ce True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = __set_app_type, address_out = 0x76d22804 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _controlfp, address_out = 0x76d1e1e1 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _except_handler3, address_out = 0x76d3d770 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = 6, address_out = 0x6d6ea14c True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = ImageList_Create, address_out = 0x6d6c908c True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = ImageList_ReplaceIcon, address_out = 0x6d726ea3 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = 17, address_out = 0x6d6c1739 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = ImageList_AddMasked, address_out = 0x6d6c8b75 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = ImageList_SetImageCount, address_out = 0x6d726e17 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = CreateToolbarEx, address_out = 0x6d6ea4d5 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetCurrentDirectoryA, address_out = 0x76a2903d True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ExitProcess, address_out = 0x76a3214f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentProcessId, address_out = 0x76a2cac4 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentProcess, address_out = 0x76a2cdcf True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CompareFileTime, address_out = 0x76a313f3 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetVolumeInformationA, address_out = 0x76a441aa True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetStdHandle, address_out = 0x76a31e46 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetPrivateProfileStringA, address_out = 0x76a1d8d7 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetPrivateProfileIntA, address_out = 0x76a1dc43 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = EnumResourceNamesA, address_out = 0x76a45a34 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WritePrivateProfileStringA, address_out = 0x76a3d763 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetComputerNameA, address_out = 0x76a16ba9 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTempPathA, address_out = 0x76a46a65 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetSystemDirectoryA, address_out = 0x76a28fc5 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetWindowsDirectoryA, address_out = 0x76a45d02 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateRemoteThread, address_out = 0x76a6f33b True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindResourceA, address_out = 0x76a2a05b True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = EnumResourceTypesA, address_out = 0x76a6cb42 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LockResource, address_out = 0x76a1fd29 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetStartupInfoA, address_out = 0x769e1e10 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = DeleteFileA, address_out = 0x76a247cb True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadResource, address_out = 0x76a2984d True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SizeofResource, address_out = 0x76a23e7f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WideCharToMultiByte, address_out = 0x76a3450e True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetProcAddress, address_out = 0x76a333d3 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleHandleA, address_out = 0x76a2cf41 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeLibrary, address_out = 0x76a2d9d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = MultiByteToWideChar, address_out = 0x76a3452b True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WriteFile, address_out = 0x76a31400 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadLibraryA, address_out = 0x76a3395c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ReadProcessMemory, address_out = 0x76a1c1ce True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WaitForSingleObject, address_out = 0x76a2ba90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseHandle, address_out = 0x76a2ca7c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LocalFree, address_out = 0x76a2ca64 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WriteProcessMemory, address_out = 0x76a1c1de True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ResumeThread, address_out = 0x76a20f1c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualAllocEx, address_out = 0x76a1c1b6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = OpenProcess, address_out = 0x76a259d7 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSize, address_out = 0x76a20273 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualFreeEx, address_out = 0x76a1c1ee True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentDirectoryA, address_out = 0x76a1733c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ExpandEnvironmentStringsA, address_out = 0x76a18a5b True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GlobalAlloc, address_out = 0x76a29ce1 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameA, address_out = 0x76a333f6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GlobalLock, address_out = 0x76a29e05 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GlobalUnlock, address_out = 0x76a29d50 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindNextFileA, address_out = 0x76a2a187 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadLibraryExA, address_out = 0x76a247fa True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindFirstFileA, address_out = 0x76a32d89 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileA, address_out = 0x76a2cee8 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLastError, address_out = 0x76a2bf00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileTime, address_out = 0x76a20f6f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointer, address_out = 0x76a2db36 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesA, address_out = 0x76a31de6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTempFileNameA, address_out = 0x76a4695f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindClose, address_out = 0x76a30e62 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetVersionExA, address_out = 0x76a33861 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FormatMessageA, address_out = 0x76a48868 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ReadFile, address_out = 0x76a296fb True 1
Fn
Get Address c:\windows\system32\user32.dll function = CopyRect, address_out = 0x755b4ad9 True 1
Fn
Get Address c:\windows\system32\user32.dll function = DrawTextExA, address_out = 0x755cae60 True 1
Fn
Get Address c:\windows\system32\user32.dll function = DispatchMessageA, address_out = 0x755b2e32 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetMessageA, address_out = 0x755b1899 True 1
Fn
Get Address c:\windows\system32\user32.dll function = IsDialogMessageA, address_out = 0x755c2019 True 1
Fn
Get Address c:\windows\system32\user32.dll function = DeferWindowPos, address_out = 0x755aa6c8 True 1
Fn
Get Address c:\windows\system32\user32.dll function = TranslateMessage, address_out = 0x755b64c7 True 1
Fn
Get Address c:\windows\system32\user32.dll function = BeginDeferWindowPos, address_out = 0x755aa6a6 True 1
Fn
Get Address c:\windows\system32\user32.dll function = PostQuitMessage, address_out = 0x755ab308 True 1
Fn
Get Address c:\windows\system32\user32.dll function = TrackPopupMenu, address_out = 0x755c2228 True 1
Fn
Get Address c:\windows\system32\user32.dll function = EndDeferWindowPos, address_out = 0x755aa67a True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetFocus, address_out = 0x755b3a34 True 1
Fn
Get Address c:\windows\system32\user32.dll function = RegisterWindowMessageA, address_out = 0x755ac091 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetWindowTextA, address_out = 0x755a6eed True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetMenuItemInfoA, address_out = 0x755a856a True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetCursor, address_out = 0x755b3075 True 1
Fn
Get Address c:\windows\system32\user32.dll function = ChildWindowFromPoint, address_out = 0x755eb6aa True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetSysColorBrush, address_out = 0x755af1ed True 1
Fn
Get Address c:\windows\system32\user32.dll function = SendMessageA, address_out = 0x755aad60 True 1
Fn
Get Address c:\windows\system32\user32.dll function = LoadCursorA, address_out = 0x755a8328 True 1
Fn
Get Address c:\windows\system32\user32.dll function = MessageBoxA, address_out = 0x755fea11 True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetDlgItemTextA, address_out = 0x755c707a True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetDlgItemTextA, address_out = 0x75603d14 True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetWindowTextA, address_out = 0x755d0c5b True 1
Fn
Get Address c:\windows\system32\user32.dll function = EndDialog, address_out = 0x755d3ba3 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetDlgItem, address_out = 0x755d42bb True 1
Fn
Get Address c:\windows\system32\user32.dll function = CreateWindowExA, address_out = 0x755abf40 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetWindowRect, address_out = 0x755b558c True 1
Fn
Get Address c:\windows\system32\user32.dll function = RegisterClassA, address_out = 0x755abc6a True 1
Fn
Get Address c:\windows\system32\user32.dll function = UpdateWindow, address_out = 0x755affa8 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetSystemMetrics, address_out = 0x755b67cf True 1
Fn
Get Address c:\windows\system32\user32.dll function = PostMessageA, address_out = 0x755ab446 True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetMenu, address_out = 0x755d6b0e True 1
Fn
Get Address c:\windows\system32\user32.dll function = ShowWindow, address_out = 0x755af2a9 True 1
Fn
Get Address c:\windows\system32\user32.dll function = LoadAcceleratorsA, address_out = 0x755cae02 True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetWindowPos, address_out = 0x755b1bc4 True 1
Fn
Get Address c:\windows\system32\user32.dll function = DefWindowProcA, address_out = 0x755abb1c True 1
Fn
Get Address c:\windows\system32\user32.dll function = TranslateAcceleratorA, address_out = 0x755d133f True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetWindowPlacement, address_out = 0x755d69de True 1
Fn
Get Address c:\windows\system32\user32.dll function = LoadIconA, address_out = 0x755a64ad True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetWindowLongA, address_out = 0x755aa95e True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetWindowLongA, address_out = 0x755a8ba3 True 1
Fn
Get Address c:\windows\system32\user32.dll function = InvalidateRect, address_out = 0x755b566d True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetFocus, address_out = 0x755aabad True 1
Fn
Get Address c:\windows\system32\user32.dll function = MapDialogRect, address_out = 0x755d347a True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetRect, address_out = 0x755b498b True 1
Fn
Get Address c:\windows\system32\user32.dll function = OpenClipboard, address_out = 0x755d447e True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetDC, address_out = 0x755b544c True 1
Fn
Get Address c:\windows\system32\user32.dll function = EmptyClipboard, address_out = 0x755c290c True 1
Fn
Get Address c:\windows\system32\user32.dll function = EnableMenuItem, address_out = 0x755d43bc True 1
Fn
Get Address c:\windows\system32\user32.dll function = ReleaseDC, address_out = 0x755b5421 True 1
Fn
Get Address c:\windows\system32\user32.dll function = MoveWindow, address_out = 0x755a8d29 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetMenuItemCount, address_out = 0x755aae39 True 1
Fn
Get Address c:\windows\system32\user32.dll function = CheckMenuItem, address_out = 0x755cee7c True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetClientRect, address_out = 0x755b54dd True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetMenuStringA, address_out = 0x75603a16 True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetClipboardData, address_out = 0x755c2962 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetCursorPos, address_out = 0x755aa4b3 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetClassNameA, address_out = 0x755d2445 True 1
Fn
Get Address c:\windows\system32\user32.dll function = CloseClipboard, address_out = 0x755d446c True 1
Fn
Get Address c:\windows\system32\user32.dll function = MapWindowPoints, address_out = 0x755b5caa True 1
Fn
Get Address c:\windows\system32\user32.dll function = LoadImageA, address_out = 0x755c7779 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetSysColor, address_out = 0x755bdb7a True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetMenu, address_out = 0x755d6b68 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetSubMenu, address_out = 0x755a9c19 True 1
Fn
Get Address c:\windows\system32\user32.dll function = LoadMenuA, address_out = 0x755bf92c True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetParent, address_out = 0x755b6029 True 1
Fn
Get Address c:\windows\system32\user32.dll function = LoadStringA, address_out = 0x755a66a7 True 1
Fn
Get Address c:\windows\system32\user32.dll function = CreateDialogParamA, address_out = 0x755c1f42 True 1
Fn
Get Address c:\windows\system32\user32.dll function = ModifyMenuA, address_out = 0x75603ae0 True 1
Fn
Get Address c:\windows\system32\user32.dll function = DestroyWindow, address_out = 0x755ab2f4 True 1
Fn
Get Address c:\windows\system32\user32.dll function = DialogBoxParamA, address_out = 0x755ecf42 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetDlgCtrlID, address_out = 0x755ab4e8 True 1
Fn
Get Address c:\windows\system32\user32.dll function = DestroyMenu, address_out = 0x755a87f7 True 1
Fn
Get Address c:\windows\system32\user32.dll function = EnumChildWindows, address_out = 0x755b2948 True 1
Fn
Get Address c:\windows\system32\gdi32.dll function = SelectObject, address_out = 0x75556640 True 1
Fn
Get Address c:\windows\system32\gdi32.dll function = SetTextColor, address_out = 0x75556906 True 1
Fn
Get Address c:\windows\system32\gdi32.dll function = CreateFontIndirectA, address_out = 0x7555d22d True 1
Fn
Get Address c:\windows\system32\gdi32.dll function = SetBkMode, address_out = 0x755569b1 True 1
Fn
Get Address c:\windows\system32\gdi32.dll function = DeleteObject, address_out = 0x75555f14 True 1
Fn
Get Address c:\windows\system32\gdi32.dll function = GetTextExtentPoint32A, address_out = 0x755607b0 True 1
Fn
Get Address c:\windows\system32\gdi32.dll function = SetBkColor, address_out = 0x75556a3c True 1
Fn
Get Address c:\windows\system32\gdi32.dll function = GetDeviceCaps, address_out = 0x75556f7f True 1
Fn
Get Address c:\windows\system32\comdlg32.dll function = GetSaveFileNameA, address_out = 0x771aa353 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x76954907 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegEnumKeyExA, address_out = 0x76951481 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x769548ef True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegEnumKeyA, address_out = 0x7696a299 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExW, address_out = 0x7695468d True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegDeleteKeyA, address_out = 0x7696a8b7 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegEnumValueA, address_out = 0x7694cf49 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameA, address_out = 0x7696a4b4 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegEnumValueW, address_out = 0x769548cc True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7695469d True 1
Fn
Get Address c:\windows\system32\shell32.dll function = SHGetPathFromIDListA, address_out = 0x75aa1c24 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = SHGetMalloc, address_out = 0x759a0602 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = SHBrowseForFolderA, address_out = 0x75bcdc6a True 1
Fn
Get Address c:\windows\system32\shell32.dll function = ShellExecuteA, address_out = 0x75bc7078 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoInitialize, address_out = 0x7669b636 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoUninitialize, address_out = 0x766c86d3 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = InitCommonControlsEx, address_out = 0x6d6c6be6 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = SHGetSpecialFolderPathA, address_out = 0x75bcfb26 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = OpenProcessToken, address_out = 0x76954304 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = LookupPrivilegeValueA, address_out = 0x7695404a True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = AdjustTokenPrivileges, address_out = 0x7695418e True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CredReadW, address_out = 0x769872a1 True 2
Fn
Get Address c:\windows\system32\advapi32.dll function = CredFree, address_out = 0x7694b2ec True 2
Fn
Get Address c:\windows\system32\advapi32.dll function = CredEnumerateW, address_out = 0x76987481 True 2
Fn
Get Address c:\windows\system32\crypt32.dll function = CryptUnprotectData, address_out = 0x751f5a7f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x76a23ea8 True 1
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = NSS_Init, address_out = 0x6d0bd70b True 1
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = NSS_Shutdown, address_out = 0x6d0bd13c True 1
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = PK11_GetInternalKeySlot, address_out = 0x6d053c51 True 1
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = PK11_FreeSlot, address_out = 0x6d053333 True 1
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = PK11_Authenticate, address_out = 0x6d03d3ca True 1
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = PK11SDR_Decrypt, address_out = 0x6d0500a7 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptAcquireContextA, address_out = 0x769491dd True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptReleaseContext, address_out = 0x7694e124 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptCreateHash, address_out = 0x7694df4e True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptGetHashParam, address_out = 0x7694df7e True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptHashData, address_out = 0x7694df36 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDestroyHash, address_out = 0x7694df66 True 1
Fn
System (3)
+
Operation Additional Information Success Count Logfile
Get Computer Name result_out = CRH2YWU7 True 1
Fn
Get Info type = Operating System False 1
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Ini (14)
+
Operation Filename Additional Information Success Count Logfile
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = ShowGridLines, default_value = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = SaveFilterIndex, default_value = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = AddExportHeaderLine, default_value = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = MarkOddEvenRows, default_value = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = Folder0 False 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = Folder1 False 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = Folder2 False 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = Folder3 False 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = Folder4 False 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = Folder5 False 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = Folder6 False 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = WinPos False 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = Columns False 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = Sort, default_value = 0 True 1
Fn
Debug (1)
+
Operation Process Additional Information Success Count Logfile
Check for Presence c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe True 1
Fn
Process #8: regsvcs.exe
(Host: 430, Network: 0)
+
Information Value
ID #8
File Name c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
Command Line C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl"
Initial Working Directory C:\Users\EEBsYm5\AppData\Local\Temp\60484525\
Monitor Start Time: 00:00:20, Reason: Child Process
Unmonitor End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration 00:01:51
OS Process Information
+
Information Value
PID 0xaa0
Parent PID 0xa4c (c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username CRH2YWU7\EEBsYm5
Groups
  • CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000ebee (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x AA4
0x AC4
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory Readable, Writable True False False
pagefile_0x00000000000d0000 0x000d0000 0x000d0fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000130000 0x00130000 0x0013ffff Private Memory Readable, Writable True False False
private_0x0000000000170000 0x00170000 0x0026ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000270000 0x00270000 0x00337fff Pagefile Backed Memory Readable True False False
private_0x0000000000400000 0x00400000 0x0041dfff Private Memory Readable, Writable, Executable True False False
private_0x0000000000500000 0x00500000 0x005fffff Private Memory Readable, Writable True False False
pagefile_0x0000000000600000 0x00600000 0x00700fff Pagefile Backed Memory Readable True False False
private_0x00000000007f0000 0x007f0000 0x007fffff Private Memory Readable, Writable True False False
regsvcs.exe 0x008e0000 0x008edfff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x00000000008f0000 0x008f0000 0x014effff Pagefile Backed Memory Readable True False False
private_0x00000000014f0000 0x014f0000 0x015effff Private Memory Readable, Writable True False False
sortdefault.nls 0x015f0000 0x018befff Memory Mapped File Readable False False False
private_0x0000000001a40000 0x01a40000 0x01b3ffff Private Memory Readable, Writable True False False
comctl32.dll 0x6d6c0000 0x6d743fff Memory Mapped File Readable, Writable, Executable False False False
pstorec.dll 0x72970000 0x7297cfff Memory Mapped File Readable, Writable, Executable False False False
atl.dll 0x73840000 0x73853fff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x75070000 0x7508afff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x75180000 0x7518bfff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x751c0000 0x752dcfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x752e0000 0x75329fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x75550000 0x7559dfff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x755a0000 0x75668fff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x756b0000 0x75706fff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x75710000 0x7572efff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x75730000 0x757fbfff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x75980000 0x765c9fff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x765e0000 0x7667cfff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x76680000 0x767dbfff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x76940000 0x769dffff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x769e0000 0x76ab3fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x76ac0000 0x76b60fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x76d10000 0x76dbbfff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x76fc0000 0x770fbfff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x77110000 0x77128fff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x77160000 0x77169fff Memory Mapped File Readable, Writable, Executable False False False
comdlg32.dll 0x77170000 0x771eafff Memory Mapped File Readable, Writable, Executable False False False
apisetschema.dll 0x77200000 0x77200fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory Readable, Writable True False False
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True False False
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Modify Memory #4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0xa88 address = 0x400000, size = 512 True 1
Fn
Data
Modify Memory #4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0xa88 address = 0x401000, size = 44032 True 1
Fn
Data
Modify Memory #4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0xa88 address = 0x41c000, size = 3584 True 1
Fn
Data
Modify Memory #4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0xa88 address = 0x41d000, size = 4096 True 1
Fn
Data
Modify Memory #4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0xa88 address = 0x7ffdb008, size = 4 True 1
Fn
Data
Modify Control Flow #4: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0xa88 os_tid = 0xaa4, address = 0x77007098 True 1
Fn
Created Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\eebsym5\appdata\local\temp\zljxukhl 0.46 KB (469 bytes) MD5: b2912991f1be1bdf15ea7028328cc3bf
SHA1: a18027ccd9e804696cac7dc581c58ce59b77e3c5
SHA256: 1035b4c326e3ee76f23a9532c2de82ba28071fb55ebfa27f99f48bb08f7c8114
False
Host Behavior
File (32)
+
Operation Filename Additional Information Success Count Logfile
Create C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{553187ED-CFB2-4763-8DAE-48D3609A76AC}.oeaccount desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{91E541D8-6C9E-48C0-AB69-0A7168AA62DE}.oeaccount desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{DD8DA3D5-48F0-4F18-846C-50E4200467F0}.oeaccount desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs_lng.ini type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Profiles type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Thunderbird\Profiles type = file_attributes False 1
Fn
Get Info C:\Program Files\Mozilla Thunderbird type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{553187ED-CFB2-4763-8DAE-48D3609A76AC}.oeaccount type = size True 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{91E541D8-6C9E-48C0-AB69-0A7168AA62DE}.oeaccount type = size True 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{DD8DA3D5-48F0-4F18-846C-50E4200467F0}.oeaccount type = size True 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{553187ED-CFB2-4763-8DAE-48D3609A76AC}.oeaccount size = 1734, size_out = 1734 True 1
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{91E541D8-6C9E-48C0-AB69-0A7168AA62DE}.oeaccount size = 1506, size_out = 1506 True 1
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{DD8DA3D5-48F0-4F18-846C-50E4200467F0}.oeaccount size = 670, size_out = 670 True 1
Fn
Data
Write C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl size = 50 True 2
Fn
Data
Write C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl size = 2 True 3
Fn
Data
Write C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl size = 30 True 1
Fn
Data
Write C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl size = 52 True 1
Fn
Data
Write C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl size = 35 True 1
Fn
Data
Write C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl size = 27 True 2
Fn
Data
Write C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl size = 22 True 4
Fn
Data
Write C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl size = 24 True 1
Fn
Data
Write C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl size = 26 True 1
Fn
Data
Write C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl size = 29 True 1
Fn
Data
Write C:\Users\EEBsYm5\AppData\Local\Temp\zljxukhl size = 25 True 1
Fn
Data
Registry (124)
+
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Software\Qualcomm\Eudora\CommandLine\current False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts False 1
Fn
Open Key HKEY_CURRENT_USER\Identities True 1
Fn
Open Key HKEY_CURRENT_USER\Identities\{74A13782-B361-4204-9DAA-0A3D49DA4337} True 1
Fn
Open Key HKEY_CURRENT_USER\Identities\{74A13782-B361-4204-9DAA-0A3D49DA4337}\Software\Microsoft\Internet Account Manager\Accounts False 1
Fn
Open Key HKEY_CURRENT_USER\Identities\{74A13782-B361-4204-9DAA-0A3D49DA4337}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046 True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\24f93cf8ea9a9546b93f8dc78abb6a97 True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604 True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3c51f4951df2d34baef1a05b725728d2 True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\42405d6c3502e64caa2aeda354771336 True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5e8673e5f416694397a90d6dc37f5694 True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\600082486368c34683de3c06ff753b3b True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\6c393c97bf8f52408197f7e63b61e548 True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046 True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9fd587aab699e24cb035dd8129bd6b5b True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\d9417b97bf6b594d89a41cdbed740112 True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761 True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e3233d298149174193c9c78f955de155 True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e50f0eb5db19ee44ba2717941e28e885 True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E} True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles False 1
Fn
Open Key HKEY_CURRENT_USER\Software\IncrediMail\Identities False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Group Mail False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\MessengerService False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Yahoo\Pager False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail False 1
Fn
Read Value HKEY_CURRENT_USER\Identities\{74A13782-B361-4204-9DAA-0A3D49DA4337} value_name = Username, data = Main Identity, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = POP3 User, data = 48, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = IMAP User, data = 48, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = HTTP User, data = 48, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = SMTP User, data = 48, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = POP3 User, data = 48, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = IMAP User, data = 48, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = HTTP User, data = 48, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = SMTP User, data = 48, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = POP3 User, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = POP3 Server, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = Display Name, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = Email, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = SMTP Server, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = SMTP Port, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = POP3 Port, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = POP3 Use SPA, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = POP3 Password, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = IMAP User, data = 100, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = HTTP User, data = 100, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = SMTP User, data = 100, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 value_name = POP3 User, data = 100, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 value_name = IMAP User, data = 100, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 value_name = HTTP User, data = 100, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 value_name = SMTP User, data = 100, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary value_name = POP3 User, data = 100, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary value_name = IMAP User, data = 100, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary value_name = HTTP User, data = 100, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary value_name = SMTP User, data = 100, type = REG_NONE False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Identities True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Identities False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046 False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\24f93cf8ea9a9546b93f8dc78abb6a97 False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604 False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3c51f4951df2d34baef1a05b725728d2 False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\42405d6c3502e64caa2aeda354771336 False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5e8673e5f416694397a90d6dc37f5694 False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\600082486368c34683de3c06ff753b3b False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\6c393c97bf8f52408197f7e63b61e548 False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046 False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9fd587aab699e24cb035dd8129bd6b5b False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\d9417b97bf6b594d89a41cdbed740112 False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761 False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e3233d298149174193c9c78f955de155 False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e50f0eb5db19ee44ba2717941e28e885 False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E} True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E} False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles False 1
Fn
Module (264)
+
Operation Module Additional Information Success Count Logfile
Load comctl32.dll base_address = 0x6d6c0000 True 1
Fn
Load shell32.dll base_address = 0x75980000 True 1
Fn
Load pstorec.dll base_address = 0x72970000 True 1
Fn
Load crypt32.dll base_address = 0x751c0000 True 2
Fn
Load advapi32.dll base_address = 0x76940000 True 3
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x769e0000 True 2
Fn
Get Handle c:\windows\system32\msvcrt.dll base_address = 0x76d10000 True 1
Fn
Get Handle c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll base_address = 0x6d6c0000 True 1
Fn
Get Handle c:\windows\system32\rpcrt4.dll base_address = 0x76ac0000 True 1
Fn
Get Handle c:\windows\system32\user32.dll base_address = 0x755a0000 True 1
Fn
Get Handle c:\windows\system32\gdi32.dll base_address = 0x75550000 True 1
Fn
Get Handle c:\windows\system32\comdlg32.dll base_address = 0x77170000 True 1
Fn
Get Handle c:\windows\system32\advapi32.dll base_address = 0x76940000 True 1
Fn
Get Handle c:\windows\system32\shell32.dll base_address = 0x75980000 True 1
Fn
Get Handle c:\windows\system32\ole32.dll base_address = 0x76680000 True 1
Fn
Get Handle private_0x0000000000400000 base_address = 0x400000 True 2
Fn
Get Filename process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260 True 2
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualProtect, address_out = 0x76a22341 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = memmove, address_out = 0x76d19e5a True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = wcschr, address_out = 0x76d1aa61 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = wcslen, address_out = 0x76d2d335 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = wcsncmp, address_out = 0x76d1b05e True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _itoa, address_out = 0x76d34218 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _strlwr, address_out = 0x76d2ca0b True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = qsort, address_out = 0x76d1d3e6 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strncmp, address_out = 0x76d1b443 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _snprintf, address_out = 0x76d3fa7c True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _mbsrchr, address_out = 0x76d28e5b True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _mbsnbicmp, address_out = 0x76d73480 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = __dllonexit, address_out = 0x76d1f509 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _onexit, address_out = 0x76d2112d True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _c_exit, address_out = 0x76d7b2db True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _exit, address_out = 0x76d7b2c0 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _XcptFilter, address_out = 0x76d3dc75 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _cexit, address_out = 0x76d237d4 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _strnicmp, address_out = 0x76d20578 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _acmdln, address_out = 0x76db04d8 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = __getmainargs, address_out = 0x76d22bc0 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _initterm, address_out = 0x76d1c151 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _memicmp, address_out = 0x76d206c8 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = malloc, address_out = 0x76d19cee True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strrchr, address_out = 0x76d1dbae True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _stricmp, address_out = 0x76d1db38 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = free, address_out = 0x76d19894 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = modf, address_out = 0x76d27551 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = memcmp, address_out = 0x76d27975 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strtoul, address_out = 0x76d2012e True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = ??3@YAXPAX@Z, address_out = 0x76d1b0b9 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = ??2@YAPAXI@Z, address_out = 0x76d1b0c9 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = memcpy, address_out = 0x76d19910 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = sprintf, address_out = 0x76d2d354 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _mbsicmp, address_out = 0x76d29238 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = atoi, address_out = 0x76d1dbe0 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _strcmpi, address_out = 0x76d1db38 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strlen, address_out = 0x76d243d3 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strcmp, address_out = 0x76d28b11 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = exit, address_out = 0x76d236aa True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _adjust_fdiv, address_out = 0x76db32ec True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = wcsstr, address_out = 0x76d1bf71 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = log, address_out = 0x76d3de50 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _mbscmp, address_out = 0x76d383c0 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strchr, address_out = 0x76d1dbeb True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _purecall, address_out = 0x76d76ea9 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strncat, address_out = 0x76d40909 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = abs, address_out = 0x76d3eb1e True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strcat, address_out = 0x76d28d75 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _ultoa, address_out = 0x76d61822 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strcpy, address_out = 0x76d28d6e True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = memset, address_out = 0x76d19790 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = __p__commode, address_out = 0x76d227c3 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = __p__fmode, address_out = 0x76d227ce True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = __set_app_type, address_out = 0x76d22804 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _controlfp, address_out = 0x76d1e1e1 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _except_handler3, address_out = 0x76d3d770 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = __setusermatherr, address_out = 0x76da77ad True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = CreateToolbarEx, address_out = 0x6d6ea4d5 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = ImageList_Create, address_out = 0x6d6c908c True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = ImageList_AddMasked, address_out = 0x6d6c8b75 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = ImageList_SetImageCount, address_out = 0x6d726e17 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = 17, address_out = 0x6d6c1739 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = ImageList_ReplaceIcon, address_out = 0x6d726ea3 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = 6, address_out = 0x6d6ea14c True 1
Fn
Get Address c:\windows\system32\rpcrt4.dll function = UuidFromStringA, address_out = 0x76ac7348 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentDirectoryA, address_out = 0x76a1733c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleHandleA, address_out = 0x76a2cf41 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetCurrentDirectoryA, address_out = 0x76a2903d True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentProcess, address_out = 0x76a2cdcf True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ExitProcess, address_out = 0x76a3214f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentProcessId, address_out = 0x76a2cac4 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ReadProcessMemory, address_out = 0x76a1c1ce True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = OpenProcess, address_out = 0x76a259d7 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetStdHandle, address_out = 0x76a31e46 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetPrivateProfileIntA, address_out = 0x76a1dc43 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = EnumResourceNamesA, address_out = 0x76a45a34 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WritePrivateProfileStringA, address_out = 0x76a3d763 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetComputerNameA, address_out = 0x76a16ba9 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSize, address_out = 0x76a20273 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileA, address_out = 0x76a2cee8 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GlobalUnlock, address_out = 0x76a29d50 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GlobalLock, address_out = 0x76a29e05 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTempPathA, address_out = 0x76a46a65 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GlobalAlloc, address_out = 0x76a29ce1 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseHandle, address_out = 0x76a2ca7c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindResourceA, address_out = 0x76a2a05b True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadResource, address_out = 0x76a2984d True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = EnumResourceTypesA, address_out = 0x76a6cb42 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SizeofResource, address_out = 0x76a23e7f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LockResource, address_out = 0x76a1fd29 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = DeleteFileA, address_out = 0x76a247cb True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetStartupInfoA, address_out = 0x769e1e10 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetPrivateProfileStringA, address_out = 0x76a1d8d7 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = MultiByteToWideChar, address_out = 0x76a3452b True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WideCharToMultiByte, address_out = 0x76a3450e True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ExpandEnvironmentStringsA, address_out = 0x76a18a5b True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LocalFree, address_out = 0x76a2ca64 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WriteFile, address_out = 0x76a31400 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetPrivateProfileSectionA, address_out = 0x76a678ad True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeLibrary, address_out = 0x76a2d9d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetProcAddress, address_out = 0x76a333d3 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadLibraryA, address_out = 0x76a3395c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameA, address_out = 0x76a333f6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindFirstFileA, address_out = 0x76a32d89 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindNextFileA, address_out = 0x76a2a187 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointer, address_out = 0x76a2db36 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLastError, address_out = 0x76a2bf00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadLibraryExA, address_out = 0x76a247fa True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesA, address_out = 0x76a31de6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTempFileNameA, address_out = 0x76a4695f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindClose, address_out = 0x76a30e62 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FormatMessageA, address_out = 0x76a48868 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetWindowsDirectoryA, address_out = 0x76a45d02 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ReadFile, address_out = 0x76a296fb True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetVersionExA, address_out = 0x76a33861 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetClassNameA, address_out = 0x755d2445 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetMessageA, address_out = 0x755b1899 True 1
Fn
Get Address c:\windows\system32\user32.dll function = TranslateMessage, address_out = 0x755b64c7 True 1
Fn
Get Address c:\windows\system32\user32.dll function = RegisterWindowMessageA, address_out = 0x755ac091 True 1
Fn
Get Address c:\windows\system32\user32.dll function = PostQuitMessage, address_out = 0x755ab308 True 1
Fn
Get Address c:\windows\system32\user32.dll function = TrackPopupMenu, address_out = 0x755c2228 True 1
Fn
Get Address c:\windows\system32\user32.dll function = PostMessageA, address_out = 0x755ab446 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetFocus, address_out = 0x755b3a34 True 1
Fn
Get Address c:\windows\system32\user32.dll function = DispatchMessageA, address_out = 0x755b2e32 True 1
Fn
Get Address c:\windows\system32\user32.dll function = DrawTextExA, address_out = 0x755cae60 True 1
Fn
Get Address c:\windows\system32\user32.dll function = IsDialogMessageA, address_out = 0x755c2019 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetWindowTextA, address_out = 0x755a6eed True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetMenuItemInfoA, address_out = 0x755a856a True 1
Fn
Get Address c:\windows\system32\user32.dll function = EnumChildWindows, address_out = 0x755b2948 True 1
Fn
Get Address c:\windows\system32\user32.dll function = DestroyMenu, address_out = 0x755a87f7 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetDlgCtrlID, address_out = 0x755ab4e8 True 1
Fn
Get Address c:\windows\system32\user32.dll function = DialogBoxParamA, address_out = 0x755ecf42 True 1
Fn
Get Address c:\windows\system32\user32.dll function = ShowWindow, address_out = 0x755af2a9 True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetCursor, address_out = 0x755b3075 True 1
Fn
Get Address c:\windows\system32\user32.dll function = LoadCursorA, address_out = 0x755a8328 True 1
Fn
Get Address c:\windows\system32\user32.dll function = ChildWindowFromPoint, address_out = 0x755eb6aa True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetSysColorBrush, address_out = 0x755af1ed True 1
Fn
Get Address c:\windows\system32\user32.dll function = EndDialog, address_out = 0x755d3ba3 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetDlgItem, address_out = 0x755d42bb True 1
Fn
Get Address c:\windows\system32\user32.dll function = CreateWindowExA, address_out = 0x755abf40 True 1
Fn
Get Address c:\windows\system32\user32.dll function = InvalidateRect, address_out = 0x755b566d True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetDlgItemInt, address_out = 0x755cec2e True 1
Fn
Get Address c:\windows\system32\user32.dll function = BeginPaint, address_out = 0x755b5d14 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetClientRect, address_out = 0x755b54dd True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetWindow, address_out = 0x755b2780 True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetDlgItemTextA, address_out = 0x755c707a True 1
Fn
Get Address c:\windows\system32\user32.dll function = DrawFrameControl, address_out = 0x755cb4f9 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetDlgItemTextA, address_out = 0x75603d14 True 1
Fn
Get Address c:\windows\system32\user32.dll function = SendDlgItemMessageA, address_out = 0x755c7241 True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetWindowTextA, address_out = 0x755d0c5b True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetWindowRect, address_out = 0x755b558c True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetSystemMetrics, address_out = 0x755b67cf True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetDlgItemInt, address_out = 0x755ced56 True 1
Fn
Get Address c:\windows\system32\user32.dll function = DeferWindowPos, address_out = 0x755aa6c8 True 1
Fn
Get Address c:\windows\system32\user32.dll function = EndPaint, address_out = 0x755b5d42 True 1
Fn
Get Address c:\windows\system32\user32.dll function = DefWindowProcA, address_out = 0x755abb1c True 1
Fn
Get Address c:\windows\system32\user32.dll function = TranslateAcceleratorA, address_out = 0x755d133f True 1
Fn
Get Address c:\windows\system32\user32.dll function = MessageBoxA, address_out = 0x755fea11 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetWindowPlacement, address_out = 0x755d69de True 1
Fn
Get Address c:\windows\system32\user32.dll function = RegisterClassA, address_out = 0x755abc6a True 1
Fn
Get Address c:\windows\system32\user32.dll function = UpdateWindow, address_out = 0x755affa8 True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetMenu, address_out = 0x755d6b0e True 1
Fn
Get Address c:\windows\system32\user32.dll function = LoadAcceleratorsA, address_out = 0x755cae02 True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetWindowPos, address_out = 0x755b1bc4 True 1
Fn
Get Address c:\windows\system32\user32.dll function = SendMessageA, address_out = 0x755aad60 True 1
Fn
Get Address c:\windows\system32\user32.dll function = LoadIconA, address_out = 0x755a64ad True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetWindowLongA, address_out = 0x755aa95e True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetWindowLongA, address_out = 0x755a8ba3 True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetFocus, address_out = 0x755aabad True 1
Fn
Get Address c:\windows\system32\user32.dll function = BeginDeferWindowPos, address_out = 0x755aa6a6 True 1
Fn
Get Address c:\windows\system32\user32.dll function = EndDeferWindowPos, address_out = 0x755aa67a True 1
Fn
Get Address c:\windows\system32\user32.dll function = CheckMenuItem, address_out = 0x755cee7c True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetMenuItemCount, address_out = 0x755aae39 True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetClipboardData, address_out = 0x755c2962 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetMenuStringA, address_out = 0x75603a16 True 1
Fn
Get Address c:\windows\system32\user32.dll function = EnableWindow, address_out = 0x755a8d02 True 1
Fn
Get Address c:\windows\system32\user32.dll function = DestroyWindow, address_out = 0x755ab2f4 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetCursorPos, address_out = 0x755aa4b3 True 1
Fn
Get Address c:\windows\system32\user32.dll function = LoadImageA, address_out = 0x755c7779 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetSysColor, address_out = 0x755bdb7a True 1
Fn
Get Address c:\windows\system32\user32.dll function = MapWindowPoints, address_out = 0x755b5caa True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetMenu, address_out = 0x755d6b68 True 1
Fn
Get Address c:\windows\system32\user32.dll function = CloseClipboard, address_out = 0x755d446c True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetParent, address_out = 0x755b6029 True 1
Fn
Get Address c:\windows\system32\user32.dll function = OpenClipboard, address_out = 0x755d447e True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetDC, address_out = 0x755b544c True 1
Fn
Get Address c:\windows\system32\user32.dll function = EmptyClipboard, address_out = 0x755c290c True 1
Fn
Get Address c:\windows\system32\user32.dll function = MoveWindow, address_out = 0x755a8d29 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetSubMenu, address_out = 0x755a9c19 True 1
Fn
Get Address c:\windows\system32\user32.dll function = EnableMenuItem, address_out = 0x755d43bc True 1
Fn
Get Address c:\windows\system32\user32.dll function = ReleaseDC, address_out = 0x755b5421 True 1
Fn
Get Address c:\windows\system32\user32.dll function = LoadMenuA, address_out = 0x755bf92c True 1
Fn
Get Address c:\windows\system32\user32.dll function = LoadStringA, address_out = 0x755a66a7 True 1
Fn
Get Address c:\windows\system32\user32.dll function = CreateDialogParamA, address_out = 0x755c1f42 True 1
Fn
Get Address c:\windows\system32\user32.dll function = ModifyMenuA, address_out = 0x75603ae0 True 1
Fn
Get Address c:\windows\system32\gdi32.dll function = GetDeviceCaps, address_out = 0x75556f7f True 1
Fn
Get Address c:\windows\system32\gdi32.dll function = SetTextColor, address_out = 0x75556906 True 1
Fn
Get Address c:\windows\system32\gdi32.dll function = CreateFontIndirectA, address_out = 0x7555d22d True 1
Fn
Get Address c:\windows\system32\gdi32.dll function = SetBkMode, address_out = 0x755569b1 True 1
Fn
Get Address c:\windows\system32\gdi32.dll function = DeleteObject, address_out = 0x75555f14 True 1
Fn
Get Address c:\windows\system32\gdi32.dll function = GetTextExtentPoint32A, address_out = 0x755607b0 True 1
Fn
Get Address c:\windows\system32\gdi32.dll function = SetBkColor, address_out = 0x75556a3c True 1
Fn
Get Address c:\windows\system32\gdi32.dll function = SelectObject, address_out = 0x75556640 True 1
Fn
Get Address c:\windows\system32\comdlg32.dll function = GetOpenFileNameA, address_out = 0x771aa2a9 True 1
Fn
Get Address c:\windows\system32\comdlg32.dll function = GetSaveFileNameA, address_out = 0x771aa353 True 1
Fn
Get Address c:\windows\system32\comdlg32.dll function = FindTextA, address_out = 0x771aacd6 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegEnumKeyA, address_out = 0x7696a299 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegEnumKeyExA, address_out = 0x76951481 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x769548ef True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x76954907 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegDeleteKeyA, address_out = 0x7696a8b7 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameA, address_out = 0x7696a4b4 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7695469d True 1
Fn
Get Address c:\windows\system32\shell32.dll function = SHBrowseForFolderA, address_out = 0x75bcdc6a True 1
Fn
Get Address c:\windows\system32\shell32.dll function = SHGetPathFromIDListA, address_out = 0x75aa1c24 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = SHGetMalloc, address_out = 0x759a0602 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = ShellExecuteA, address_out = 0x75bc7078 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoInitialize, address_out = 0x7669b636 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoTaskMemFree, address_out = 0x766d6f41 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoUninitialize, address_out = 0x766c86d3 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = InitCommonControlsEx, address_out = 0x6d6c6be6 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = SHGetSpecialFolderPathA, address_out = 0x75bcfb26 True 1
Fn
Get Address c:\windows\system32\pstorec.dll function = PStoreCreateInstance, address_out = 0x7297526c True 1
Fn
Get Address c:\windows\system32\crypt32.dll function = CryptUnprotectData, address_out = 0x751f5a7f True 2
Fn
Get Address c:\windows\system32\advapi32.dll function = CredReadA, address_out = 0x769871c1 True 3
Fn
Get Address c:\windows\system32\advapi32.dll function = CredFree, address_out = 0x7694b2ec True 3
Fn
Get Address c:\windows\system32\advapi32.dll function = CredDeleteA, address_out = 0x76987941 True 3
Fn
Get Address c:\windows\system32\advapi32.dll function = CredEnumerateA, address_out = 0x76987381 True 3
Fn
Get Address c:\windows\system32\advapi32.dll function = CredEnumerateW, address_out = 0x76987481 True 3
Fn
System (2)
+
Operation Additional Information Success Count Logfile
Get Computer Name result_out = CRH2YWU7 True 1
Fn
Get Info type = Operating System False 1
Fn
Ini (7)
+
Operation Filename Additional Information Success Count Logfile
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = ShowGridLines, default_value = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = SaveFilterIndex, default_value = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = AddExportHeaderLine, default_value = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = MarkOddEvenRows, default_value = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = WinPos False 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = Columns False 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = Sort, default_value = 0 True 1
Fn
Process #9: cih.exe
(Host: 162, Network: 0)
+
Information Value
ID #9
File Name c:\users\eebsym5\appdata\local\temp\60484525\cih.exe
Command Line "C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe" C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:55, Reason: Autostart
Unmonitor End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration 00:01:16
OS Process Information
+
Information Value
PID 0x750
Parent PID 0x608 (c:\windows\explorer.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username CRH2YWU7\EEBsYm5
Groups
  • CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000ee71 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 754
0x 7EC
0x 158
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x0002ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000040000 0x00040000 0x00041fff Pagefile Backed Memory Readable True False False
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False
pagefile_0x00000000000c0000 0x000c0000 0x00187fff Pagefile Backed Memory Readable True False False
private_0x0000000000190000 0x00190000 0x0058ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000590000 0x00590000 0x00690fff Pagefile Backed Memory Readable True False False
private_0x00000000006a0000 0x006a0000 0x006a0fff Private Memory Readable, Writable True False False
private_0x00000000006b0000 0x006b0000 0x006b0fff Private Memory Readable, Writable True False False
pagefile_0x00000000006c0000 0x006c0000 0x006c0fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x00000000006d0000 0x006d0000 0x006d1fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000006e0000 0x006e0000 0x006e1fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000006f0000 0x006f0000 0x006f0fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000700000 0x00700000 0x00706fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000710000 0x00710000 0x00711fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000720000 0x00720000 0x00720fff Private Memory Readable, Writable True False False
private_0x0000000000730000 0x00730000 0x0073ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000730000 0x00730000 0x00734fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000740000 0x00740000 0x00744fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000760000 0x00760000 0x00b5ffff Private Memory Readable, Writable True False False
private_0x0000000000b60000 0x00b60000 0x00c9ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000b60000 0x00b60000 0x00c3efff Pagefile Backed Memory Readable True False False
private_0x0000000000c60000 0x00c60000 0x00c9ffff Private Memory Readable, Writable True False False
private_0x0000000000ca0000 0x00ca0000 0x00caffff Private Memory Readable, Writable True False False
sortdefault.nls 0x00cb0000 0x00f7efff Memory Mapped File Readable False False False
cih.exe 0x00fa0000 0x0106bfff Memory Mapped File Readable, Writable, Executable True False False
pagefile_0x0000000001070000 0x01070000 0x01c6ffff Pagefile Backed Memory Readable True False False
rpcss.dll 0x01c70000 0x01ccbfff Memory Mapped File Readable False False False
rpcss.dll 0x01c70000 0x01ccbfff Memory Mapped File Readable False False False
private_0x0000000001c70000 0x01c70000 0x01ceffff Private Memory Readable, Writable True False False
private_0x0000000001d50000 0x01d50000 0x0214ffff Private Memory Readable, Writable True False False
pagefile_0x0000000002150000 0x02150000 0x02542fff Pagefile Backed Memory Readable True False False
private_0x0000000002550000 0x02550000 0x025effff Private Memory Readable, Writable True False False
private_0x0000000002610000 0x02610000 0x02a0ffff Private Memory Readable, Writable True False False
private_0x0000000002a10000 0x02a10000 0x02b0ffff Private Memory Readable, Writable True False False
private_0x0000000002b10000 0x02b10000 0x02cccfff Private Memory Readable, Writable True False False
private_0x0000000002b10000 0x02b10000 0x02d0ffff Private Memory Readable, Writable True False False
private_0x0000000003280000 0x03280000 0x0338ffff Private Memory Readable, Writable True False False
winmm.dll 0x6ec80000 0x6ecb1fff Memory Mapped File Readable, Writable, Executable False False False
wsock32.dll 0x6ed20000 0x6ed26fff Memory Mapped File Readable, Writable, Executable False False False
mpr.dll 0x71e70000 0x71e81fff Memory Mapped File Readable, Writable, Executable False False False
dwmapi.dll 0x74370000 0x74382fff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x746a0000 0x746dffff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x74820000 0x749bdfff Memory Mapped File Readable, Writable, Executable False False False
version.dll 0x74d90000 0x74d98fff Memory Mapped File Readable, Writable, Executable False False False
userenv.dll 0x74ef0000 0x74f06fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x75790000 0x7579bfff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x75840000 0x7584afff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x758b0000 0x758bbfff Memory Mapped File Readable, Writable, Executable False False False
cfgmgr32.dll 0x758c0000 0x758e6fff Memory Mapped File Readable, Writable, Executable False False False
devobj.dll 0x758f0000 0x75901fff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x75910000 0x75a2cfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75a30000 0x75a79fff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x75b40000 0x75c13fff Memory Mapped File Readable, Writable, Executable False False False
wininet.dll 0x75c20000 0x75d14fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x75d20000 0x75dcbfff Memory Mapped File Readable, Writable, Executable False False False
iertutil.dll 0x75e00000 0x75ffafff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x76000000 0x7609ffff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x760a0000 0x7616bfff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x76170000 0x762cbfff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x762d0000 0x7635efff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x76360000 0x76400fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x76460000 0x764adfff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x764b0000 0x76578fff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x76580000 0x76589fff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x76590000 0x765e6fff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x76650000 0x76655fff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x76660000 0x7667efff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x76720000 0x767bcfff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x767c0000 0x77409fff Memory Mapped File Readable, Writable, Executable False False False
setupapi.dll 0x77410000 0x775acfff Memory Mapped File Readable, Writable, Executable False False False
urlmon.dll 0x775b0000 0x776e5fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x776f0000 0x7782bfff Memory Mapped File Readable, Writable, Executable False False False
psapi.dll 0x77830000 0x77834fff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x77840000 0x77858fff Memory Mapped File Readable, Writable, Executable False False False
comdlg32.dll 0x77860000 0x778dafff Memory Mapped File Readable, Writable, Executable False False False
ws2_32.dll 0x778e0000 0x77914fff Memory Mapped File Readable, Writable, Executable False False False
apisetschema.dll 0x77930000 0x77930fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False
private_0x000000007ffd5000 0x7ffd5000 0x7ffd5fff Private Memory Readable, Writable True False False
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory Readable, Writable True False False
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True False False
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False
Created Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\eebsym5\appdata\local\temp\60484525\kqmao 271.35 KB (277864 bytes) MD5: 1ddc15ba0f5ad90873d42c41f4a2abc3
SHA1: 4cc438d56cd0317c3cd75f6630f2ce4ce4b31ca0
SHA256: c1492aca20af26af0c906dc391b808f2b227904a8948aa7b34caeddb70fc83cb
False
Host Behavior
File (124)
+
Operation Filename Additional Information Success Count Logfile
Create C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc type = file_type True 1
Fn
Get Info *.* type = file_attributes False 1
Fn
Get Info 0409 type = file_attributes True 1
Fn
Open STD_INPUT_HANDLE True 2
Fn
Open STD_OUTPUT_HANDLE True 1
Fn
Open STD_ERROR_HANDLE True 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc size = 65536, size_out = 65536 True 92
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc size = 65536, size_out = 8772 True 1
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc size = 53248, size_out = 0 True 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc size = 65536, size_out = 20 True 1
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc size = 61440, size_out = 0 True 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc size = 65536, size_out = 7852 True 1
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc size = 65536, size_out = 0 True 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt size = 65536, size_out = 65536 True 12
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt size = 65536, size_out = 50285 True 1
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO size = 65536, size_out = 0 True 1
Fn
Write C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO size = 277864 True 1
Fn
Data
Registry (3)
+
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Control Panel\Mouse True 1
Fn
Open Key HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt False 1
Fn
Read Value HKEY_CURRENT_USER\Control Panel\Mouse value_name = SwapMouseButtons, data = 48 True 1
Fn
Process (1)
+
Operation Process Additional Information Success Count Logfile
Create C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO os_pid = 0x480, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_SHOWNORMAL True 1
Fn
Module (17)
+
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x75b40000 True 1
Fn
Load uxtheme.dll base_address = 0x746a0000 True 1
Fn
Load user32.dll base_address = 0x764b0000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x75b40000 True 2
Fn
Get Handle mscoree.dll base_address = 0x0 False 1
Fn
Get Filename process_name = c:\users\eebsym5\appdata\local\temp\60484525\cih.exe, file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe, size = 260 True 3
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsAlloc, address_out = 0x75b9418d True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsGetValue, address_out = 0x75b91e16 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsSetValue, address_out = 0x75b976e6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsFree, address_out = 0x75b91f61 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsWow64Process, address_out = 0x75b84785 True 1
Fn
Get Address c:\windows\system32\uxtheme.dll function = IsThemeActive, address_out = 0x746af785 True 1
Fn
Get Address c:\windows\system32\user32.dll function = CallWindowProc, address_out = 0x0 False 1
Fn
Get Address c:\windows\system32\user32.dll function = CallWindowProcA, address_out = 0x764e2bd3 True 1
Fn
Window (2)
+
Operation Window Name Additional Information Success Count Logfile
Create AutoIt v3 class_name = AutoIt v3, wndproc_parameter = 0 True 1
Fn
System (7)
+
Operation Additional Information Success Count Logfile
Sleep duration = 750 milliseconds (0.750 seconds) True 2
Fn
Get Time type = System Time, time = 2017-10-04 02:24:17 (UTC) True 1
Fn
Get Time type = Ticks, time = 11965 True 1
Fn
Get Time type = System Time, time = 2017-10-04 02:24:20 (UTC) True 1
Fn
Get Info type = Operating System False 1
Fn
Get Info type = Hardware Information True 1
Fn
Environment (1)
+
Operation Additional Information Success Count Logfile
Get Environment String True 1
Fn
Data
Ini (3)
+
Operation Filename Additional Information Success Count Logfile
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = Dir, data_out = 60484525 True 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = sK, data_out = 228 True 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = sN, data_out = rpi.qcn True 1
Fn
Debug (1)
+
Operation Process Additional Information Success Count Logfile
Check for Presence c:\users\eebsym5\appdata\local\temp\60484525\cih.exe True 1
Fn
Process #10: cih.exe
(Host: 353, Network: 0)
+
Information Value
ID #10
File Name c:\users\eebsym5\appdata\local\temp\60484525\cih.exe
Command Line C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:03, Reason: Child Process
Unmonitor End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration 00:01:08
OS Process Information
+
Information Value
PID 0x480
Parent PID 0x750 (c:\users\eebsym5\appdata\local\temp\60484525\cih.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username CRH2YWU7\EEBsYm5
Groups
  • CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000ee71 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 488
0x 61C
0x 6BC
0x 758
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000040000 0x00040000 0x00041fff Pagefile Backed Memory Readable True False False
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory Readable, Writable True False False
pagefile_0x00000000000d0000 0x000d0000 0x000d0fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x00000000000e0000 0x000e0000 0x000e1fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000000f0000 0x000f0000 0x000f1fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000100000 0x00100000 0x00100fff Pagefile Backed Memory Readable, Writable True False False
rpcss.dll 0x00110000 0x0016bfff Memory Mapped File Readable False False False
pagefile_0x0000000000110000 0x00110000 0x00116fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000120000 0x00120000 0x00121fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000130000 0x00130000 0x00130fff Private Memory Readable, Writable True False False
tzres.dll 0x00140000 0x00140fff Memory Mapped File Readable False False False
rsaenh.dll 0x00140000 0x0017bfff Memory Mapped File Readable False False False
rsaenh.dll 0x00140000 0x0017bfff Memory Mapped File Readable False False False
private_0x0000000000140000 0x00140000 0x00140fff Private Memory Readable, Writable, Executable True False False
private_0x0000000000150000 0x00150000 0x00150fff Private Memory Readable, Writable, Executable True False False
private_0x0000000000160000 0x00160000 0x00160fff Private Memory Readable, Writable, Executable True False False
private_0x0000000000170000 0x00170000 0x00170fff Private Memory Readable, Writable, Executable True False False
private_0x0000000000180000 0x00180000 0x0018ffff Private Memory Readable, Writable True False False
private_0x0000000000190000 0x00190000 0x00190fff Private Memory Readable, Writable, Executable True False False
private_0x00000000001a0000 0x001a0000 0x001a0fff Private Memory Readable, Writable, Executable True False False
private_0x00000000001f0000 0x001f0000 0x005effff Private Memory Readable, Writable True False False
pagefile_0x00000000005f0000 0x005f0000 0x006b7fff Pagefile Backed Memory Readable True False False
private_0x00000000006c0000 0x006c0000 0x00abffff Private Memory Readable, Writable True False False
pagefile_0x0000000000ac0000 0x00ac0000 0x00bc0fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000bd0000 0x00bd0000 0x00caefff Pagefile Backed Memory Readable True False False
private_0x0000000000cb0000 0x00cb0000 0x00cbffff Private Memory Readable, Writable True False False
private_0x0000000000cc0000 0x00cc0000 0x00dbffff Private Memory Readable, Writable True False False
private_0x0000000000cc0000 0x00cc0000 0x00d3ffff Private Memory Readable, Writable True False False
private_0x0000000000d80000 0x00d80000 0x00dbffff Private Memory Readable, Writable True False False
private_0x0000000000dc0000 0x00dc0000 0x00ebffff Private Memory Readable, Writable True False False
private_0x0000000000ec0000 0x00ec0000 0x00f3ffff Private Memory Readable, Writable True False False
cih.exe 0x00fa0000 0x0106bfff Memory Mapped File Readable, Writable, Executable True False False
pagefile_0x0000000001070000 0x01070000 0x01c6ffff Pagefile Backed Memory Readable True False False
sortdefault.nls 0x01c70000 0x01f3efff Memory Mapped File Readable False False False
private_0x0000000001f40000 0x01f40000 0x0233ffff Private Memory Readable, Writable True False False
pagefile_0x0000000002340000 0x02340000 0x02732fff Pagefile Backed Memory Readable True False False
private_0x0000000002780000 0x02780000 0x02b7ffff Private Memory Readable, Writable True False False
private_0x0000000002b80000 0x02b80000 0x02d7ffff Private Memory Readable, Writable True False False
private_0x0000000002d80000 0x02d80000 0x02f3cfff Private Memory Readable, Writable True False False
private_0x0000000002e60000 0x02e60000 0x0325ffff Private Memory Readable, Writable True False False
private_0x0000000003260000 0x03260000 0x0341cfff Private Memory Readable, Writable True False False
winmm.dll 0x6ec80000 0x6ecb1fff Memory Mapped File Readable, Writable, Executable False False False
wsock32.dll 0x6ed20000 0x6ed26fff Memory Mapped File Readable, Writable, Executable False False False
mpr.dll 0x71e70000 0x71e81fff Memory Mapped File Readable, Writable, Executable False False False
dwmapi.dll 0x74370000 0x74382fff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x746a0000 0x746dffff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x74820000 0x749bdfff Memory Mapped File Readable, Writable, Executable False False False
version.dll 0x74d90000 0x74d98fff Memory Mapped File Readable, Writable, Executable False False False
userenv.dll 0x74ef0000 0x74f06fff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x750b0000 0x750eafff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x75310000 0x75325fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x75790000 0x7579bfff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x75840000 0x7584afff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x758b0000 0x758bbfff Memory Mapped File Readable, Writable, Executable False False False
cfgmgr32.dll 0x758c0000 0x758e6fff Memory Mapped File Readable, Writable, Executable False False False
devobj.dll 0x758f0000 0x75901fff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x75910000 0x75a2cfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75a30000 0x75a79fff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x75b40000 0x75c13fff Memory Mapped File Readable, Writable, Executable False False False
wininet.dll 0x75c20000 0x75d14fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x75d20000 0x75dcbfff Memory Mapped File Readable, Writable, Executable False False False
iertutil.dll 0x75e00000 0x75ffafff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x76000000 0x7609ffff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x760a0000 0x7616bfff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x76170000 0x762cbfff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x762d0000 0x7635efff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x76360000 0x76400fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x76460000 0x764adfff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x764b0000 0x76578fff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x76580000 0x76589fff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x76590000 0x765e6fff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x76650000 0x76655fff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x76660000 0x7667efff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x76720000 0x767bcfff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x767c0000 0x77409fff Memory Mapped File Readable, Writable, Executable False False False
setupapi.dll 0x77410000 0x775acfff Memory Mapped File Readable, Writable, Executable False False False
urlmon.dll 0x775b0000 0x776e5fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x776f0000 0x7782bfff Memory Mapped File Readable, Writable, Executable False False False
psapi.dll 0x77830000 0x77834fff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x77840000 0x77858fff Memory Mapped File Readable, Writable, Executable False False False
comdlg32.dll 0x77860000 0x778dafff Memory Mapped File Readable, Writable, Executable False False False
ws2_32.dll 0x778e0000 0x77914fff Memory Mapped File Readable, Writable, Executable False False False
apisetschema.dll 0x77930000 0x77930fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory Readable, Writable True False False
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory Readable, Writable True False False
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory Readable, Writable True False False
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True False False
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False
Host Behavior
File (41)
+
Operation Filename Additional Information Success Count Logfile
Create C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO type = file_type True 1
Fn
Get Info 60484525 type = file_attributes True 2
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Temp\60484525\spd type = file_attributes False 1
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe type = file_attributes True 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO type = file_attributes True 1
Fn
Open STD_INPUT_HANDLE True 2
Fn
Open STD_OUTPUT_HANDLE True 1
Fn
Open STD_ERROR_HANDLE True 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO size = 65536, size_out = 65536 True 8
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO size = 65536, size_out = 15800 True 1
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO size = 49152, size_out = 0 True 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO size = 65536, size_out = 20 True 1
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO size = 61440, size_out = 0 True 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO size = 65536, size_out = 15720 True 1
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO size = 65536, size_out = 0 True 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt size = 65536, size_out = 65536 True 12
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt size = 65536, size_out = 50285 True 1
Fn
Data
Delete C:\Users\EEBsYm5\AppData\Local\Temp\60484525\KQMAO True 1
Fn
Registry (7)
+
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run True 1
Fn
Create Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run True 1
Fn
Open Key HKEY_CURRENT_USER\Control Panel\Mouse True 1
Fn
Open Key HKEY_CURRENT_USER\Software\AutoIt v3\AutoIt False 1
Fn
Read Value HKEY_CURRENT_USER\Control Panel\Mouse value_name = SwapMouseButtons, data = 48 True 1
Fn
Write Value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = WindowsUpdate, data = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc, size = 212, type = REG_SZ True 1
Fn
Write Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = WindowsUpdate, data = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cvn-nhc, size = 212, type = REG_SZ True 1
Fn
Process (1)
+
Operation Process Additional Information Success Count Logfile
Create C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe os_pid = 0x328, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE True 1
Fn
Thread (3)
+
Operation Process Additional Information Success Count Logfile
Get Context c:\users\eebsym5\appdata\local\temp\60484525\cih.exe os_tid = 0x488 True 1
Fn
Set Context c:\users\eebsym5\appdata\local\temp\60484525\cih.exe os_tid = 0x488 True 1
Fn
Resume c:\users\eebsym5\appdata\local\temp\60484525\cih.exe os_tid = 0x488 True 1
Fn
Memory (7)
+
Operation Process Additional Information Success Count Logfile
Allocate C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 106496 True 1
Fn
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe address = 0x400000, size = 4096 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe address = 0x401000, size = 69632 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe address = 0x412000, size = 24576 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe address = 0x418000, size = 4096 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe address = 0x419000, size = 4096 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe address = 0x7ffdb008, size = 4 True 1
Fn
Data
Module (48)
+
Operation Module Additional Information Success Count Logfile
Load kernel32.dll base_address = 0x75b40000 True 1
Fn
Load uxtheme.dll base_address = 0x746a0000 True 1
Fn
Load Advapi32.dll base_address = 0x76000000 True 1
Fn
Load user32.dll base_address = 0x764b0000 True 1
Fn
Load kernel32 base_address = 0x75b40000 True 17
Fn
Load ntdll base_address = 0x776f0000 True 8
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x75b40000 True 2
Fn
Get Handle mscoree.dll base_address = 0x0 False 1
Fn
Get Filename process_name = c:\users\eebsym5\appdata\local\temp\60484525\cih.exe, file_name_orig = C:\Users\EEBsYm5\AppData\Local\Temp\60484525\cih.exe, size = 260 True 2
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsAlloc, address_out = 0x75b9418d True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsGetValue, address_out = 0x75b91e16 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsSetValue, address_out = 0x75b976e6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlsFree, address_out = 0x75b91f61 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsWow64Process, address_out = 0x75b84785 True 1
Fn
Get Address c:\windows\system32\uxtheme.dll function = IsThemeActive, address_out = 0x746af785 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptAcquireContext, address_out = 0x0 False 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptAcquireContextA, address_out = 0x760091dd True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptCreateHash, address_out = 0x7600df4e True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptHashData, address_out = 0x7600df36 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDeriveKey, address_out = 0x76043188 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDestroyHash, address_out = 0x7600df66 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDecrypt, address_out = 0x76043178 True 1
Fn
Get Address c:\windows\system32\user32.dll function = CallWindowProcW, address_out = 0x764c1b3c True 1
Fn
Service (1)
+
Operation Additional Information Success Count Logfile
Open Manager database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Window (2)
+
Operation Window Name Additional Information Success Count Logfile
Create AutoIt v3 class_name = AutoIt v3, wndproc_parameter = 0 True 1
Fn
System (215)
+
Operation Additional Information Success Count Logfile
Sleep duration = 750 milliseconds (0.750 seconds) True 7
Fn
Sleep duration = 10 milliseconds (0.010 seconds) True 199
Fn
Get Time type = System Time, time = 2017-10-04 02:24:20 (UTC) True 1
Fn
Get Time type = Ticks, time = 15490 True 1
Fn
Get Time type = System Time, time = 2017-10-04 02:24:21 (UTC) True 2
Fn
Get Info type = Operating System False 1
Fn
Get Info type = Hardware Information True 1
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 3
Fn
Environment (1)
+
Operation Additional Information Success Count Logfile
Get Environment String True 1
Fn
Data
Ini (22)
+
Operation Filename Additional Information Success Count Logfile
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = Dir, data_out = 60484525 True 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = msg False 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = _S0x20057179D673181B71D4593BFB2A0450 False 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = VM False 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = SandBox False 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = duac False 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = drpt False 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = btklr False 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = taskmnrg False 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = hSUps False 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = StartUps, data_out = lju-0W23JhA138k76msH67J30 True 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = Key, data_out = WindowsUpdate True 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = AuEx, data_out = cvn-nhc True 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = ExEc, data_out = cih.exe True 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = Down False 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = Net False 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = eof False 2
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = RP, data_out = qkr.xul True 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = Keys, data_out = jom True 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = fb False 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\60484525\hin.ppt section_name = Setting, key_name = btkl False 1
Fn
Debug (1)
+
Operation Process Additional Information Success Count Logfile
Check for Presence c:\users\eebsym5\appdata\local\temp\60484525\cih.exe True 1
Fn
Process #11: regsvcs.exe
(Host: 432, Network: 41)
+
Information Value
ID #11
File Name c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
Command Line "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:07, Reason: Child Process
Unmonitor End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration 00:01:04
OS Process Information
+
Information Value
PID 0x328
Parent PID 0x480 (c:\users\eebsym5\appdata\local\temp\60484525\cih.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username CRH2YWU7\EEBsYm5
Groups
  • CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000ee71 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 4D8
0x 7E4
0x 340
0x 324
0x 320
0x 12C
0x 334
0x 360
0x 428
0x 530
0x 43C
0x 518
0x 750
0x 7A4
0x 150
0x 624
0x 69C
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False
private_0x0000000000050000 0x00050000 0x00050fff Private Memory Readable, Writable True False False
private_0x0000000000060000 0x00060000 0x00060fff Private Memory Readable, Writable True False False
private_0x0000000000070000 0x00070000 0x0016ffff Private Memory Readable, Writable True False False
private_0x0000000000170000 0x00170000 0x0017ffff Private Memory Readable, Writable True False False
private_0x0000000000180000 0x00180000 0x00180fff Private Memory Readable, Writable True False False
private_0x0000000000190000 0x00190000 0x00190fff Private Memory Readable, Writable True False False
private_0x00000000001a0000 0x001a0000 0x001a0fff Private Memory Readable, Writable True False False
private_0x00000000001b0000 0x001b0000 0x002affff Private Memory Readable, Writable True False False
locale.nls 0x002b0000 0x00316fff Memory Mapped File Readable False False False
private_0x0000000000320000 0x00320000 0x0037ffff Private Memory Readable, Writable True False False
private_0x0000000000390000 0x00390000 0x0039ffff Private Memory Readable, Writable True False False
private_0x0000000000400000 0x00400000 0x00419fff Private Memory Readable, Writable, Executable True False False
pagefile_0x0000000000420000 0x00420000 0x004e7fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000004f0000 0x004f0000 0x005f0fff Pagefile Backed Memory Readable True False False
private_0x0000000000600000 0x00600000 0x006fffff Private Memory Readable, Writable True False False
private_0x0000000000700000 0x00700000 0x007fffff Private Memory Readable, Writable True False False
private_0x0000000000810000 0x00810000 0x0090ffff Private Memory Readable, Writable True False False
private_0x0000000000950000 0x00950000 0x00a4ffff Private Memory Readable, Writable True False False
private_0x0000000000a50000 0x00a50000 0x00b6ffff Private Memory Readable, Writable True False False
private_0x0000000000a50000 0x00a50000 0x00b4ffff Private Memory Readable, Writable True False False
private_0x0000000000b60000 0x00b60000 0x00b6ffff Private Memory Readable, Writable True False False
private_0x0000000000c00000 0x00c00000 0x00cfffff Private Memory Readable, Writable True False False
regsvcs.exe 0x00d30000 0x00d3dfff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000000d40000 0x00d40000 0x0193ffff Pagefile Backed Memory Readable True False False
private_0x0000000001990000 0x01990000 0x01a8ffff Private Memory Readable, Writable True False False
sortdefault.nls 0x01a90000 0x01d5efff Memory Mapped File Readable False False False
private_0x0000000001d60000 0x01d60000 0x01f1ffff Private Memory Readable, Writable True False False
private_0x0000000001d60000 0x01d60000 0x01e4ffff Private Memory Readable, Writable True False False
private_0x0000000001ee0000 0x01ee0000 0x01f1ffff Private Memory Readable, Writable True False False
private_0x0000000001f40000 0x01f40000 0x0203ffff Private Memory Readable, Writable True False False
private_0x0000000002120000 0x02120000 0x0221ffff Private Memory Readable, Writable True False False
private_0x0000000002220000 0x02220000 0x0241ffff Private Memory Readable, Writable True False False
winmm.dll 0x6ec80000 0x6ecb1fff Memory Mapped File Readable, Writable, Executable False False False
rasadhlp.dll 0x6f7a0000 0x6f7a5fff Memory Mapped File Readable, Writable, Executable False False False
msvcp60.dll 0x72440000 0x724a5fff Memory Mapped File Readable, Writable, Executable False False False
winrnr.dll 0x730a0000 0x730a7fff Memory Mapped File Readable, Writable, Executable False False False
pnrpnsp.dll 0x730b0000 0x730c1fff Memory Mapped File Readable, Writable, Executable False False False
fwpuclnt.dll 0x73940000 0x73977fff Memory Mapped File Readable, Writable, Executable False False False
winnsi.dll 0x73a80000 0x73a86fff Memory Mapped File Readable, Writable, Executable False False False
iphlpapi.dll 0x73a90000 0x73aabfff Memory Mapped File Readable, Writable, Executable False False False
nlaapi.dll 0x73bb0000 0x73bbffff Memory Mapped File Readable, Writable, Executable False False False
napinsp.dll 0x73ef0000 0x73efffff Memory Mapped File Readable, Writable, Executable False False False
gdiplus.dll 0x74510000 0x7469ffff Memory Mapped File Readable, Writable, Executable False False False
wshtcpip.dll 0x74e20000 0x74e24fff Memory Mapped File Readable, Writable, Executable False False False
dnsapi.dll 0x75190000 0x751d3fff Memory Mapped File Readable, Writable, Executable False False False
mswsock.dll 0x752d0000 0x7530bfff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x75770000 0x7578afff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x758b0000 0x758bbfff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x75910000 0x75a2cfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75a30000 0x75a79fff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x75b40000 0x75c13fff Memory Mapped File Readable, Writable, Executable False False False
wininet.dll 0x75c20000 0x75d14fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x75d20000 0x75dcbfff Memory Mapped File Readable, Writable, Executable False False False
iertutil.dll 0x75e00000 0x75ffafff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x76000000 0x7609ffff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x760a0000 0x7616bfff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x76170000 0x762cbfff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x762d0000 0x7635efff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x76360000 0x76400fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x76460000 0x764adfff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x764b0000 0x76578fff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x76580000 0x76589fff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x76590000 0x765e6fff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x76650000 0x76655fff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x76660000 0x7667efff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x76720000 0x767bcfff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x767c0000 0x77409fff Memory Mapped File Readable, Writable, Executable False False False
urlmon.dll 0x775b0000 0x776e5fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x776f0000 0x7782bfff Memory Mapped File Readable, Writable, Executable False False False
psapi.dll 0x77830000 0x77834fff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x77840000 0x77858fff Memory Mapped File Readable, Writable, Executable False False False
ws2_32.dll 0x778e0000 0x77914fff Memory Mapped File Readable, Writable, Executable False False False
apisetschema.dll 0x77930000 0x77930fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False
private_0x000000007ffd6000 0x7ffd6000 0x7ffd6fff Private Memory Readable, Writable True False False
private_0x000000007ffd7000 0x7ffd7000 0x7ffd7fff Private Memory Readable, Writable True False False
private_0x000000007ffd8000 0x7ffd8000 0x7ffd8fff Private Memory Readable, Writable True False False
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory Readable, Writable True False False
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory Readable, Writable True False False
private_0x000000007ffdb000 0x7ffdb000 0x7ffdbfff Private Memory Readable, Writable True False False
private_0x000000007ffdc000 0x7ffdc000 0x7ffdcfff Private Memory Readable, Writable True False False
private_0x000000007ffdd000 0x7ffdd000 0x7ffddfff Private Memory Readable, Writable True False False
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True False False
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Modify Memory #10: c:\users\eebsym5\appdata\local\temp\60484525\cih.exe 0x488 address = 0x400000, size = 4096 True 1
Fn
Data
Modify Memory #10: c:\users\eebsym5\appdata\local\temp\60484525\cih.exe 0x488 address = 0x401000, size = 69632 True 1
Fn
Data
Modify Memory #10: c:\users\eebsym5\appdata\local\temp\60484525\cih.exe 0x488 address = 0x412000, size = 24576 True 1
Fn
Data
Modify Memory #10: c:\users\eebsym5\appdata\local\temp\60484525\cih.exe 0x488 address = 0x418000, size = 4096 True 1
Fn
Data
Modify Memory #10: c:\users\eebsym5\appdata\local\temp\60484525\cih.exe 0x488 address = 0x419000, size = 4096 True 1
Fn
Data
Modify Memory #10: c:\users\eebsym5\appdata\local\temp\60484525\cih.exe 0x488 address = 0x7ffdb008, size = 4 True 1
Fn
Data
Modify Control Flow #10: c:\users\eebsym5\appdata\local\temp\60484525\cih.exe 0x488 os_tid = 0x4d8, address = 0x77737098 True 1
Fn
Host Behavior
File (45)
+
Operation Filename Additional Information Success Count Logfile
Create C:\Users\EEBsYm5\AppData\Roaming\chrome\logs.dat desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 9
Fn
Create C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 9
Fn
Create C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL False 10
Fn
Create C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create C:\Users\EEBsYm5\AppData\Roaming\chrome\logs.dat desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Create Directory C:\Users\EEBsYm5\AppData\Roaming\chrome True 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\chrome\logs.dat type = size True 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv type = size True 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt type = size True 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\chrome\logs.dat type = file_attributes False 1
Fn
Read C:\Users\EEBsYm5\AppData\Roaming\chrome\logs.dat size = 19, size_out = 19 True 1
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv size = 0, size_out = 0 True 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt size = 2, size_out = 2 True 1
Fn
Data
Write C:\Users\EEBsYm5\AppData\Roaming\chrome\logs.dat size = 13 True 1
Fn
Data
Delete Directory C:\Users\EEBsYm5\AppData\Roaming\chrome True 1
Fn
Delete C:\Users\EEBsYm5\AppData\Roaming\chrome\logs.dat True 1
Fn
Delete C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv True 1
Fn
Delete C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt True 1
Fn
Registry (58)
+
Operation Key Additional Information Success Count Logfile
Create Key HKEY_CURRENT_USER\Software\34419-GRNPWA\ True 1
Fn
Create Key HKEY_CURRENT_USER\Software\34419-GRNPWA\ True 1
Fn
Create Key HKEY_CURRENT_USER\Software\34419-GRNPWA\ True 2
Fn
Create Key HKEY_CURRENT_USER\Software\34419-GRNPWA\ True 8
Fn
Create Key HKEY_CURRENT_USER\Software\34419-GRNPWA\ True 10
Fn
Create Key HKEY_CURRENT_USER\Software\34419-GRNPWA\ True 1
Fn
Open Key HKEY_CURRENT_USER\Software\34419-GRNPWA\ True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion True 1
Fn
Open Key HKEY_CURRENT_USER\Software\34419-GRNPWA\ True 2
Fn
Open Key HKEY_CURRENT_USER\Software\34419-GRNPWA\ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\34419-GRNPWA\ value_name = WD, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\34419-GRNPWA\ value_name = Inj, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = ProductName, data = 87 True 1
Fn
Read Value HKEY_CURRENT_USER\Software\34419-GRNPWA\ value_name = FR True 1
Fn
Read Value HKEY_CURRENT_USER\Software\34419-GRNPWA\ value_name = FR, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\34419-GRNPWA\ value_name = name, data = 108 False 1
Fn
Write Value HKEY_CURRENT_USER\Software\34419-GRNPWA\ value_name = EXEpath, size = 116, type = REG_BINARY True 1
Fn
Data
Write Value HKEY_CURRENT_USER\Software\34419-GRNPWA\ value_name = WD, data = 808, size = 4, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Write Value HKEY_CURRENT_USER\Software\34419-GRNPWA\ value_name = EXEpath, size = 116, type = REG_BINARY True 2
Fn
Data
Write Value HKEY_CURRENT_USER\Software\34419-GRNPWA\ value_name = EXEpath, size = 116, type = REG_BINARY True 8
Fn
Data
Write Value HKEY_CURRENT_USER\Software\34419-GRNPWA\ value_name = EXEpath, size = 116, type = REG_BINARY True 10
Fn
Data
Write Value HKEY_CURRENT_USER\Software\34419-GRNPWA\ value_name = EXEpath, size = 116, type = REG_BINARY True 1
Fn
Data
Process (5)
+
Operation Process Additional Information Success Count Logfile
Create C:\Windows\system32\svchost.exe os_pid = 0x318, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE True 1
Fn
Create C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt" os_pid = 0x520, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE True 1
Fn
Create C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv" os_pid = 0x514, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE True 1
Fn
Create C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel" os_pid = 0x36c, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = SYNCHRONIZE True 1
Fn
Thread (12)
+
Operation Process Additional Information Success Count Logfile
Get Context c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe os_tid = 0x320 True 1
Fn
Get Context c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe os_tid = 0x530 True 1
Fn
Get Context c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe os_tid = 0x530 True 1
Fn
Get Context c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe os_tid = 0x530 True 1
Fn
Set Context c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe os_tid = 0x320 True 1
Fn
Set Context c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe os_tid = 0x530 True 1
Fn
Set Context c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe os_tid = 0x530 True 1
Fn
Set Context c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe os_tid = 0x530 True 1
Fn
Resume c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe os_tid = 0x320 True 1
Fn
Resume c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe os_tid = 0x530 True 1
Fn
Resume c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe os_tid = 0x530 True 1
Fn
Resume c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe os_tid = 0x530 True 1
Fn
Memory (29)
+
Operation Process Additional Information Success Count Logfile
Allocate C:\Windows\system32\svchost.exe address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 106496 True 1
Fn
Allocate C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt" address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 356352 True 1
Fn
Allocate C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv" address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 147456 True 1
Fn
Allocate C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel" address = 0x400000, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 122880 True 1
Fn
Read C:\Windows\system32\svchost.exe address = 0x7ffde008, size = 4 True 1
Fn
Data
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt" address = 0x7ffda008, size = 4 True 1
Fn
Data
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv" address = 0x7ffd8008, size = 4 True 1
Fn
Data
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel" address = 0x7ffd9008, size = 4 True 1
Fn
Data
Write C:\Windows\system32\svchost.exe address = 0x400000, size = 4096 True 1
Fn
Data
Write C:\Windows\system32\svchost.exe address = 0x401000, size = 69632 True 1
Fn
Data
Write C:\Windows\system32\svchost.exe address = 0x412000, size = 24576 True 1
Fn
Data
Write C:\Windows\system32\svchost.exe address = 0x418000, size = 4096 True 1
Fn
Data
Write C:\Windows\system32\svchost.exe address = 0x419000, size = 4096 True 1
Fn
Data
Write C:\Windows\system32\svchost.exe address = 0x7ffde008, size = 4 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt" address = 0x400000, size = 512 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt" address = 0x401000, size = 172032 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt" address = 0x455000, size = 3584 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt" address = 0x456000, size = 2048 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt" address = 0x7ffda008, size = 4 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv" address = 0x400000, size = 512 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv" address = 0x401000, size = 54784 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv" address = 0x422000, size = 3584 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv" address = 0x423000, size = 4096 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv" address = 0x7ffd8008, size = 4 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel" address = 0x400000, size = 512 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel" address = 0x401000, size = 44032 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel" address = 0x41c000, size = 3584 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel" address = 0x41d000, size = 4096 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel" address = 0x7ffd9008, size = 4 True 1
Fn
Data
Module (33)
+
Operation Module Additional Information Success Count Logfile
Load User32.dll base_address = 0x764b0000 True 1
Fn
Load kernel32.dll base_address = 0x75b40000 True 2
Fn
Load Psapi.dll base_address = 0x77830000 True 2
Fn
Get Handle c:\windows\system32\user32.dll base_address = 0x764b0000 True 1
Fn
Get Handle private_0x0000000000400000 base_address = 0x400000 True 3
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x75b40000 True 3
Fn
Get Handle c:\windows\system32\shell32.dll base_address = 0x767c0000 True 1
Fn
Get Handle c:\windows\system32\ntdll.dll base_address = 0x776f0000 True 4
Fn
Get Filename process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260 True 2
Fn
Get Address c:\windows\system32\user32.dll function = GetCursorInfo, address_out = 0x76514b31 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetLastInputInfo, address_out = 0x764c3834 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetConsoleWindow, address_out = 0x75ba2787 True 1
Fn
Get Address c:\windows\system32\psapi.dll function = GetModuleFileNameExA, address_out = 0x778315bc True 1
Fn
Get Address c:\windows\system32\psapi.dll function = GetModuleFileNameExW, address_out = 0x778313f0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GlobalMemoryStatusEx, address_out = 0x75b78a2b True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsWow64Process, address_out = 0x75b84785 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetComputerNameExW, address_out = 0x75b80f04 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = IsUserAnAdmin, address_out = 0x768144f5 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetProcessDEPPolicy, address_out = 0x75b7602f True 1
Fn
Get Address c:\windows\system32\ntdll.dll function = NtUnmapViewOfSection, address_out = 0x777369b8 True 4
Fn
Keyboard (1)
+
Operation Additional Information Success Count Logfile
Get Info type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 True 1
Fn
System (242)
+
Operation Additional Information Success Count Logfile
Get Computer Name result_out = cRh2YWu7, type = ComputerNameDnsHostname True 1
Fn
Get Clipboard format = 1 False 1
Fn
Sleep duration = 10000 milliseconds (10.000 seconds) True 7
Fn
Sleep duration = 500 milliseconds (0.500 seconds) True 11
Fn
Sleep duration = 3000 milliseconds (3.000 seconds) True 22
Fn
Sleep duration = 2000 milliseconds (2.000 seconds) True 1
Fn
Sleep duration = 1000 milliseconds (1.000 seconds) True 125
Fn
Get Time type = Ticks, time = 19468 True 2
Fn
Get Time type = Ticks, time = 20092 True 2
Fn
Get Time type = Ticks, time = 20155 True 2
Fn
Get Time type = Ticks, time = 20482 True 1
Fn
Get Time type = Ticks, time = 21496 True 1
Fn
Get Time type = Ticks, time = 21886 True 2
Fn
Get Time type = Ticks, time = 22510 True 1
Fn
Get Time type = Ticks, time = 23524 True 1
Fn
Get Time type = Ticks, time = 24538 True 1
Fn
Get Time type = Ticks, time = 25552 True 1
Fn
Get Time type = Ticks, time = 26644 True 1
Fn
Get Time type = Ticks, time = 27658 True 1
Fn
Get Time type = Ticks, time = 28672 True 1
Fn
Get Time type = Ticks, time = 29686 True 1
Fn
Get Time type = Ticks, time = 30700 True 1
Fn
Get Time type = Ticks, time = 31715 True 1
Fn
Get Time type = Ticks, time = 32729 True 1
Fn
Get Time type = Ticks, time = 33743 True 1
Fn
Get Time type = Ticks, time = 34757 True 1
Fn
Get Time type = Ticks, time = 35771 True 1
Fn
Get Time type = Ticks, time = 36785 True 1
Fn
Get Time type = Ticks, time = 37799 True 1
Fn
Get Time type = Ticks, time = 38813 True 1
Fn
Get Time type = Ticks, time = 39827 True 1
Fn
Get Time type = Ticks, time = 40841 True 1
Fn
Get Time type = Ticks, time = 41855 True 1
Fn
Get Time type = Ticks, time = 42245 True 2
Fn
Get Time type = Ticks, time = 42869 True 1
Fn
Get Time type = Ticks, time = 43883 True 1
Fn
Get Time type = Ticks, time = 44897 True 1
Fn
Get Time type = Ticks, time = 45911 True 1
Fn
Get Time type = Ticks, time = 46925 True 1
Fn
Get Time type = Ticks, time = 47939 True 1
Fn
Get Time type = Ticks, time = 48953 True 1
Fn
Get Time type = Ticks, time = 49967 True 1
Fn
Get Time type = Ticks, time = 50981 True 1
Fn
Get Time type = Ticks, time = 51995 True 1
Fn
Get Time type = Ticks, time = 53009 True 1
Fn
Get Time type = Ticks, time = 54023 True 1
Fn
Get Time type = Ticks, time = 55037 True 1
Fn
Get Time type = Ticks, time = 56051 True 1
Fn
Get Time type = Ticks, time = 57065 True 1
Fn
Get Time type = Ticks, time = 58079 True 1
Fn
Get Time type = Ticks, time = 59093 True 1
Fn
Get Time type = Ticks, time = 60107 True 1
Fn
Get Time type = Ticks, time = 61121 True 1
Fn
Get Time type = Ticks, time = 62135 True 1
Fn
Get Time type = Ticks, time = 62431 True 2
Fn
Get Time type = Ticks, time = 63149 True 1
Fn
Get Time type = Ticks, time = 64163 True 1
Fn
Get Time type = Ticks, time = 65177 True 1
Fn
Get Time type = Ticks, time = 66191 True 1
Fn
Get Time type = Ticks, time = 67205 True 1
Fn
Get Time type = Ticks, time = 68219 True 1
Fn
Get Time type = Ticks, time = 69233 True 1
Fn
Get Time type = Ticks, time = 70247 True 1
Fn
Get Time type = Ticks, time = 71261 True 1
Fn
Get Time type = Ticks, time = 72275 True 1
Fn
Get Time type = Ticks, time = 73289 True 1
Fn
Get Time type = Ticks, time = 74303 True 1
Fn
Get Time type = Ticks, time = 75317 True 1
Fn
Get Time type = Ticks, time = 76331 True 1
Fn
Get Time type = Ticks, time = 77345 True 1
Fn
Get Time type = Ticks, time = 78359 True 1
Fn
Get Time type = Ticks, time = 79373 True 1
Fn
Get Time type = Ticks, time = 80387 True 1
Fn
Get Time type = Ticks, time = 81401 True 1
Fn
Get Time type = Ticks, time = 82415 True 1
Fn
Mutex (3)
+
Operation Additional Information Success Count Logfile
Create mutex_name = 34419-GRNPWA True 1
Fn
Open mutex_name = Remcos_Mutex_Inj, desired_access = SYNCHRONIZE False 1
Fn
Open mutex_name = Mutex_RemWatchdog, desired_access = SYNCHRONIZE False 1
Fn
Network Behavior
DNS (2)
+
Operation Additional Information Success Count Logfile
Resolve Name host = jlux123.no-ip.biz False 1
Fn
Resolve Name host = jluxi.dynu.com, address_out = 185.62.188.68 True 1
Fn
TCP Sessions (3)
+
Information Value
Total Data Sent 0.88 KB (903 bytes)
Total Data Received 286.80 KB (293679 bytes)
Contacted Host Count 1
Contacted Hosts 185.62.188.68:1991
TCP Session #1
+
Information Value
Handle 0x18c
Address Family AF_UNSPEC
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 185.62.188.68
Remote Port 1991
Local Address 0.0.0.0
Local Port 1728
Data Sent 0.72 KB (737 bytes)
Data Received 0.24 KB (247 bytes)
Operations
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_UNSPEC, type = SOCK_STREAM True 1
Fn
Connect remote_address = 185.62.188.68, remote_port = 1991 True 1
Fn
Send flags = NO_FLAG_SET, size = 473, size_out = 473 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1000, size_out = 32 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1000, size_out = 92 True 1
Fn
Data
Send flags = NO_FLAG_SET, size = 66, size_out = 66 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1000, size_out = 27 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1000, size_out = 32 True 2
Fn
Data
Send flags = NO_FLAG_SET, size = 66, size_out = 66 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1000, size_out = 32 True 1
Fn
Data
Send flags = NO_FLAG_SET, size = 66, size_out = 66 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1000 False 1
Fn
Send flags = NO_FLAG_SET, size = 66, size_out = 66 True 1
Fn
Data
TCP Session #2
+
Information Value
Handle 0x1bc
Address Family AF_UNSPEC
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 185.62.188.68
Remote Port 1991
Local Address 0.0.0.0
Local Port 1728
Data Sent 0.10 KB (99 bytes)
Data Received 286.55 KB (293432 bytes)
Operations
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_UNSPEC, type = SOCK_STREAM True 1
Fn
Connect remote_address = 185.62.188.68, remote_port = 1991 True 1
Fn
Send flags = NO_FLAG_SET, size = 42, size_out = 42 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 1000, size_out = 1000 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65000, size_out = 4808 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65000, size_out = 65000 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65000, size_out = 9052 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65000, size_out = 3752 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65000, size_out = 604 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65000, size_out = 65000 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65000, size_out = 340 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65000, size_out = 65000 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65000, size_out = 340 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65000, size_out = 65000 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65000, size_out = 340 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 65000, size_out = 13196 True 1
Fn
Data
Send flags = NO_FLAG_SET, size = 57, size_out = 57 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
TCP Session #3
+
Information Value
Handle 0x1c4
Address Family AF_UNSPEC
Type SOCK_STREAM
Protocol IPPROTO_TCP
Remote Address 185.62.188.68
Remote Port 1991
Local Address 0.0.0.0
Local Port 1984
Data Sent 0.07 KB (67 bytes)
Data Received 0.00 KB (0 bytes)
Operations
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_UNSPEC, type = SOCK_STREAM True 1
Fn
Connect remote_address = 185.62.188.68, remote_port = 1991 True 1
Fn
Send flags = NO_FLAG_SET, size = 67, size_out = 67 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
Process #12: svchost.exe
(Host: 19, Network: 0)
+
Information Value
ID #12
File Name c:\windows\system32\svchost.exe
Command Line C:\Windows\system32\svchost.exe
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:07, Reason: Child Process
Unmonitor End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration 00:01:04
OS Process Information
+
Information Value
PID 0x318
Parent PID 0x328 (c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username CRH2YWU7\EEBsYm5
Groups
  • CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000ee71 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 330
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False
private_0x0000000000050000 0x00050000 0x00050fff Private Memory Readable, Writable True False False
private_0x00000000000b0000 0x000b0000 0x000effff Private Memory Readable, Writable True False False
locale.nls 0x000f0000 0x00156fff Memory Mapped File Readable False False False
private_0x0000000000160000 0x00160000 0x0025ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000260000 0x00260000 0x00327fff Pagefile Backed Memory Readable True False False
private_0x0000000000370000 0x00370000 0x0037ffff Private Memory Readable, Writable True False False
private_0x0000000000400000 0x00400000 0x00419fff Private Memory Readable, Writable, Executable True False False
pagefile_0x0000000000420000 0x00420000 0x00520fff Pagefile Backed Memory Readable True False False
private_0x0000000000530000 0x00530000 0x0062ffff Private Memory Readable, Writable True False False
svchost.exe 0x00940000 0x00947fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000000950000 0x00950000 0x0154ffff Pagefile Backed Memory Readable True False False
winmm.dll 0x6ec80000 0x6ecb1fff Memory Mapped File Readable, Writable, Executable False False False
msvcp60.dll 0x72440000 0x724a5fff Memory Mapped File Readable, Writable, Executable False False False
gdiplus.dll 0x74510000 0x7469ffff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x758b0000 0x758bbfff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x75910000 0x75a2cfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75a30000 0x75a79fff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x75b40000 0x75c13fff Memory Mapped File Readable, Writable, Executable False False False
wininet.dll 0x75c20000 0x75d14fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x75d20000 0x75dcbfff Memory Mapped File Readable, Writable, Executable False False False
iertutil.dll 0x75e00000 0x75ffafff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x76000000 0x7609ffff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x760a0000 0x7616bfff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x76170000 0x762cbfff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x762d0000 0x7635efff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x76360000 0x76400fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x76460000 0x764adfff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x764b0000 0x76578fff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x76580000 0x76589fff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x76590000 0x765e6fff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x76650000 0x76655fff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x76660000 0x7667efff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x76720000 0x767bcfff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x767c0000 0x77409fff Memory Mapped File Readable, Writable, Executable False False False
urlmon.dll 0x775b0000 0x776e5fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x776f0000 0x7782bfff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x77840000 0x77858fff Memory Mapped File Readable, Writable, Executable False False False
ws2_32.dll 0x778e0000 0x77914fff Memory Mapped File Readable, Writable, Executable False False False
apisetschema.dll 0x77930000 0x77930fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True False False
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Modify Memory #11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0x320 address = 0x400000, size = 4096 True 1
Fn
Data
Modify Memory #11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0x320 address = 0x401000, size = 69632 True 1
Fn
Data
Modify Memory #11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0x320 address = 0x412000, size = 24576 True 1
Fn
Data
Modify Memory #11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0x320 address = 0x418000, size = 4096 True 1
Fn
Data
Modify Memory #11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0x320 address = 0x419000, size = 4096 True 1
Fn
Data
Modify Memory #11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0x320 address = 0x7ffde008, size = 4 True 1
Fn
Data
Modify Control Flow #11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0x320 os_tid = 0x330, address = 0x77737098 True 1
Fn
Host Behavior
File (3)
+
Operation Filename Additional Information Success Count Logfile
Create C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe type = size True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe size = 45216, size_out = 45216 True 1
Fn
Data
Registry (6)
+
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\34419-GRNPWA\ True 2
Fn
Open Key HKEY_CURRENT_USER\Software\34419-GRNPWA\ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\34419-GRNPWA\ value_name = WD, data = 808, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\34419-GRNPWA\ value_name = EXEpath, data = 169 True 1
Fn
Delete Value HKEY_CURRENT_USER\Software\34419-GRNPWA\ value_name = WD True 1
Fn
Process (1)
+
Operation Process Additional Information Success Count Logfile
Open c:\windows\system32\svchost.exe desired_access = SYNCHRONIZE True 1
Fn
Module (8)
+
Operation Module Additional Information Success Count Logfile
Load User32.dll base_address = 0x764b0000 True 1
Fn
Load kernel32.dll base_address = 0x75b40000 True 1
Fn
Get Handle c:\windows\system32\user32.dll base_address = 0x764b0000 True 1
Fn
Get Handle private_0x0000000000400000 base_address = 0x400000 True 1
Fn
Get Filename process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\system32\svchost.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetCursorInfo, address_out = 0x76514b31 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetLastInputInfo, address_out = 0x764c3834 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetConsoleWindow, address_out = 0x75ba2787 True 1
Fn
Mutex (1)
+
Operation Additional Information Success Count Logfile
Create mutex_name = Mutex_RemWatchdog True 1
Fn
Process #13: regsvcs.exe
(Host: 1184, Network: 0)
+
Information Value
ID #13
File Name c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
Command Line C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:09, Reason: Child Process
Unmonitor End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration 00:01:02
OS Process Information
+
Information Value
PID 0x520
Parent PID 0x328 (c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username CRH2YWU7\EEBsYm5
Groups
  • CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000ee71 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 528
0x 754
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory Readable, Writable True False False
pagefile_0x00000000000d0000 0x000d0000 0x000d0fff Pagefile Backed Memory Readable, Writable True False False
tzres.dll 0x000e0000 0x000e0fff Memory Mapped File Readable False False False
private_0x00000000000e0000 0x000e0000 0x000effff Private Memory Readable, Writable True False False
pagefile_0x00000000000e0000 0x000e0000 0x000e4fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x00000000000f0000 0x000f0000 0x000f6fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000100000 0x00100000 0x00101fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000110000 0x00110000 0x0020ffff Private Memory Readable, Writable True False False
rsaenh.dll 0x00210000 0x0024bfff Memory Mapped File Readable False False False
pagefile_0x0000000000210000 0x00210000 0x00214fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000250000 0x00250000 0x0025ffff Private Memory Readable, Writable True False False
private_0x0000000000280000 0x00280000 0x0028ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000290000 0x00290000 0x00357fff Pagefile Backed Memory Readable True False False
private_0x0000000000360000 0x00360000 0x003fffff Private Memory Readable, Writable True False False
private_0x0000000000400000 0x00400000 0x00456fff Private Memory Readable, Writable, Executable True False False
pagefile_0x0000000000460000 0x00460000 0x00560fff Pagefile Backed Memory Readable True False False
private_0x00000000005a0000 0x005a0000 0x0069ffff Private Memory Readable, Writable True False False
private_0x00000000006a0000 0x006a0000 0x0079ffff Private Memory Readable, Writable True False False
sortdefault.nls 0x007a0000 0x00a6efff Memory Mapped File Readable False False False
private_0x0000000000a70000 0x00a70000 0x00b70fff Private Memory Readable, Writable True False False
private_0x0000000000a70000 0x00a70000 0x00b8ffff Private Memory Readable, Writable True False False
private_0x0000000000bf0000 0x00bf0000 0x00ceffff Private Memory Readable, Writable True False False
regsvcs.exe 0x00d30000 0x00d3dfff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000000d40000 0x00d40000 0x0193ffff Pagefile Backed Memory Readable True False False
nss3.dll 0x01940000 0x01af1fff Memory Mapped File Readable False False False
private_0x0000000001940000 0x01940000 0x01a3ffff Private Memory Readable, Writable True False False
private_0x0000000001a40000 0x01a40000 0x01b3ffff Private Memory Readable, Writable True False False
private_0x0000000001b00000 0x01b00000 0x01bfffff Private Memory Readable, Writable True False False
pagefile_0x0000000001c00000 0x01c00000 0x01ff2fff Pagefile Backed Memory Readable True False False
winmm.dll 0x6ec80000 0x6ecb1fff Memory Mapped File Readable, Writable, Executable False False False
freebl3.dll 0x6f030000 0x6f07efff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x72220000 0x722a3fff Memory Mapped File Readable, Writable, Executable False False False
vaultcli.dll 0x723c0000 0x723cbfff Memory Mapped File Readable, Writable, Executable False False False
pstorec.dll 0x72430000 0x7243cfff Memory Mapped File Readable, Writable, Executable False False False
msvcp100.dll 0x73170000 0x731d8fff Memory Mapped File Readable, Writable, Executable False False False
msvcr100.dll 0x731e0000 0x7329dfff Memory Mapped File Readable, Writable, Executable False False False
nss3.dll 0x732a0000 0x73454fff Memory Mapped File Readable, Writable, Executable False False False
atl.dll 0x73b60000 0x73b73fff Memory Mapped File Readable, Writable, Executable False False False
softokn3.dll 0x73f00000 0x73f26fff Memory Mapped File Readable, Writable, Executable False False False
mozglue.dll 0x73f30000 0x73f51fff Memory Mapped File Readable, Writable, Executable False False False
nssdbm3.dll 0x73fd0000 0x73fe6fff Memory Mapped File Readable, Writable, Executable False False False
wsock32.dll 0x73ff0000 0x73ff6fff Memory Mapped File Readable, Writable, Executable False False False
version.dll 0x74d90000 0x74d98fff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x750b0000 0x750eafff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x75310000 0x75325fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x75790000 0x7579bfff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x758b0000 0x758bbfff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x75910000 0x75a2cfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75a30000 0x75a79fff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x75b40000 0x75c13fff Memory Mapped File Readable, Writable, Executable False False False
wininet.dll 0x75c20000 0x75d14fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x75d20000 0x75dcbfff Memory Mapped File Readable, Writable, Executable False False False
iertutil.dll 0x75e00000 0x75ffafff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x76000000 0x7609ffff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x760a0000 0x7616bfff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x76170000 0x762cbfff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x762d0000 0x7635efff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x76360000 0x76400fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x76460000 0x764adfff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x764b0000 0x76578fff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x76580000 0x76589fff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x76590000 0x765e6fff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x76650000 0x76655fff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x76660000 0x7667efff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x76720000 0x767bcfff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x767c0000 0x77409fff Memory Mapped File Readable, Writable, Executable False False False
urlmon.dll 0x775b0000 0x776e5fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x776f0000 0x7782bfff Memory Mapped File Readable, Writable, Executable False False False
psapi.dll 0x77830000 0x77834fff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x77840000 0x77858fff Memory Mapped File Readable, Writable, Executable False False False
comdlg32.dll 0x77860000 0x778dafff Memory Mapped File Readable, Writable, Executable False False False
ws2_32.dll 0x778e0000 0x77914fff Memory Mapped File Readable, Writable, Executable False False False
apisetschema.dll 0x77930000 0x77930fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False
private_0x000000007ffda000 0x7ffda000 0x7ffdafff Private Memory Readable, Writable True False False
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True False False
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Modify Memory #11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0x530 address = 0x400000, size = 512 True 1
Fn
Data
Modify Memory #11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0x530 address = 0x401000, size = 172032 True 1
Fn
Data
Modify Memory #11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0x530 address = 0x455000, size = 3584 True 1
Fn
Data
Modify Memory #11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0x530 address = 0x456000, size = 2048 True 1
Fn
Data
Modify Memory #11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0x530 address = 0x7ffda008, size = 4 True 1
Fn
Data
Modify Control Flow #11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0x530 os_tid = 0x528, address = 0x77737098 True 1
Fn
Created Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\eebsym5\appdata\local\temp\mwixlzwnapdxngrlcvznt 0.00 KB (2 bytes) MD5: f3b25701fe362ec84616a93a45ce9998
SHA1: d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256: b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
False
Host Behavior
File (758)
+
Operation Filename Additional Information Success Count Logfile
Create C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070520170706\index.dat desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\places.sqlite desired_access = GENERIC_READ, file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data desired_access = GENERIC_READ True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data desired_access = GENERIC_WRITE, GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs_lng.ini type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat type = size True 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat type = size True 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat type = size True 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070520170706\index.dat type = size True 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\WebCache\WebCacheV24.dat type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\history.dat type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\places.sqlite type = file_attributes True 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\places.sqlite type = time True 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\profiles.ini type = file_attributes True 1
Fn
Get Info C:\Program Files\Mozilla Firefox\nss3.dll type = file_attributes True 2
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini type = file_attributes False 1
Fn
Get Info C:\Program Files\Sea Monkey\nss3.dll type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Crashpad\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data type = file_attributes True 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal type = file_attributes True 2
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data type = size, size_out = 0 True 5
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data-wal type = file_attributes False 2
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\EVWhitelist\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\EVWhitelist\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\OriginTrials\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\OriginTrials\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\PepperFlash\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\PepperFlash\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\pnacl\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\pnacl\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\SwiftShader\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\SwiftShader\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\SwReporter\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\SwReporter\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\WidevineCdm\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Apple Computer\Preferences\keychain.plist type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Opera\Opera\wand.dat type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Opera\Opera7\profile\wand.dat type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Opera Software\Opera Stable\Login Data type = file_attributes False 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat size = 32, size_out = 32 True 1
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat size = 8, size_out = 8 True 136
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat size = 256, size_out = 256 True 109
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat size = 384, size_out = 384 True 3
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat size = 32, size_out = 32 True 1
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat size = 8, size_out = 8 True 124
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat size = 256, size_out = 256 True 123
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012017100420171005\index.dat size = 384, size_out = 384 True 1
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat size = 32, size_out = 32 True 1
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat size = 8, size_out = 8 True 90
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat size = 256, size_out = 256 True 2
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat size = 384, size_out = 384 True 2
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070520170706\index.dat size = 32, size_out = 32 True 1
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070520170706\index.dat size = 8, size_out = 8 True 94
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012017070520170706\index.dat size = 256, size_out = 256 True 2
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data size = 100, size_out = 100 True 1
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data size = 2048, size_out = 2048 True 4
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Google\Chrome\User Data\Default\Web Data size = 16, size_out = 16 True 1
Fn
Data
Write C:\Users\EEBsYm5\AppData\Local\Temp\mwixlzwnapdxngrlcvznt size = 2 True 1
Fn
Data
Registry (20)
+
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla True 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\bin False 2
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin value_name = PathToExe, data = C:\Program Files\Mozilla Firefox\firefox.exe, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin value_name = PathToExe, data = C:\Program Files\Mozilla Firefox\firefox.exe, type = REG_SZ True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla True 2
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla False 2
Fn
Process (29)
+
Operation Process Additional Information Success Count Logfile
Open System desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\smss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\wininit.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\csrss.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\winlogon.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\services.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsass.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\lsm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\audiodg.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\spoolsv.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\windows\system32\taskhost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\userinit.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\dwm.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\taskeng.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION False 1
Fn
Open c:\program files\adobe\reader 10.0\reader\reader_sl.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\system32\svchost.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe desired_access = PROCESS_VM_READ, PROCESS_QUERY_INFORMATION True 1
Fn
Module (346)
+
Operation Module Additional Information Success Count Logfile
Load comctl32.dll base_address = 0x72220000 True 1
Fn
Load shell32.dll base_address = 0x767c0000 True 1
Fn
Load advapi32.dll base_address = 0x76000000 True 2
Fn
Load pstorec.dll base_address = 0x72430000 True 1
Fn
Load vaultcli.dll base_address = 0x723c0000 True 1
Fn
Load C:\Program Files\Mozilla Firefox\nss3.dll base_address = 0x732a0000 True 1
Fn
Load psapi.dll base_address = 0x77830000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x75b40000 True 3
Fn
Get Handle c:\windows\system32\msvcrt.dll base_address = 0x75d20000 True 1
Fn
Get Handle c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll base_address = 0x72220000 True 1
Fn
Get Handle c:\windows\system32\version.dll base_address = 0x74d90000 True 1
Fn
Get Handle c:\windows\system32\wininet.dll base_address = 0x75c20000 True 1
Fn
Get Handle c:\windows\system32\user32.dll base_address = 0x764b0000 True 1
Fn
Get Handle c:\windows\system32\gdi32.dll base_address = 0x76460000 True 1
Fn
Get Handle c:\windows\system32\comdlg32.dll base_address = 0x77860000 True 1
Fn
Get Handle c:\windows\system32\advapi32.dll base_address = 0x76000000 True 1
Fn
Get Handle c:\windows\system32\shell32.dll base_address = 0x767c0000 True 1
Fn
Get Handle c:\windows\system32\ole32.dll base_address = 0x76170000 True 1
Fn
Get Handle private_0x0000000000400000 base_address = 0x400000 True 22
Fn
Get Handle C:\Program Files\Mozilla Firefox\nss3.dll base_address = 0x0 False 1
Fn
Get Handle c:\program files\mozilla firefox\nss3.dll base_address = 0x732a0000 True 1
Fn
Get Filename process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260 True 2
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\windows\system32\taskhost.exe, file_name_orig = C:\Windows\system32\taskhost.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\windows\system32\userinit.exe, file_name_orig = C:\Windows\system32\userinit.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\windows\system32\dwm.exe, file_name_orig = C:\Windows\system32\Dwm.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\windows\explorer.exe, file_name_orig = C:\Windows\Explorer.EXE, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\program files\adobe\reader 10.0\reader\reader_sl.exe, file_name_orig = C:\Program Files\Adobe\Reader 10.0\Reader\reader_sl.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\windows\system32\svchost.exe, file_name_orig = C:\Windows\system32\svchost.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260 True 1
Fn
Get Filename C:\Program Files\Mozilla Firefox\nss3.dll process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualProtect, address_out = 0x75b82341 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = __setusermatherr, address_out = 0x75db77ad True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _adjust_fdiv, address_out = 0x75dc32ec True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = __p__commode, address_out = 0x75d327c3 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = __p__fmode, address_out = 0x75d327ce True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = wcscat, address_out = 0x75da0ea6 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = __set_app_type, address_out = 0x75d32804 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _controlfp, address_out = 0x75d2e1e1 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = realloc, address_out = 0x75d2b10d True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = qsort, address_out = 0x75d2d3e6 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _itow, address_out = 0x75d3019c True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _wcsupr, address_out = 0x75d2dac1 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _wcslwr, address_out = 0x75d2fb25 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strchr, address_out = 0x75d2dbeb True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _initterm, address_out = 0x75d2c151 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = wcsncmp, address_out = 0x75d2b05e True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = memmove, address_out = 0x75d29e5a True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = free, address_out = 0x75d29894 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = modf, address_out = 0x75d37551 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _memicmp, address_out = 0x75d306c8 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = wcstoul, address_out = 0x75d2b319 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = malloc, address_out = 0x75d29cee True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _XcptFilter, address_out = 0x75d4dc75 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strcpy, address_out = 0x75d38d6e True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _wtoi64, address_out = 0x75d3062e True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strcmp, address_out = 0x75d38b11 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = wcsrchr, address_out = 0x75d2a73f True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = __wgetmainargs, address_out = 0x75d34e7c True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _wcmdln, address_out = 0x75dc04dc True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = exit, address_out = 0x75d336aa True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _strlwr, address_out = 0x75d3ca0b True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _cexit, address_out = 0x75d337d4 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _wcsnicmp, address_out = 0x75d2aae3 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = ??3@YAXPAX@Z, address_out = 0x75d2b0b9 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = ??2@YAPAXI@Z, address_out = 0x75d2b0c9 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = memcmp, address_out = 0x75d37975 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = wcscmp, address_out = 0x75d3d3b7 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = abs, address_out = 0x75d4eb1e True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = log, address_out = 0x75d4de50 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _purecall, address_out = 0x75d86ea9 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = wcslen, address_out = 0x75d3d335 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _wtoi, address_out = 0x75d2c823 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _wcsicmp, address_out = 0x75d2a9e9 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = wcschr, address_out = 0x75d2aa61 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = memcpy, address_out = 0x75d29910 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = wcscpy, address_out = 0x75d3d4f8 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = memset, address_out = 0x75d29790 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strlen, address_out = 0x75d343d3 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = wcsncat, address_out = 0x75da0ed9 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _snwprintf, address_out = 0x75d495d1 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _except_handler3, address_out = 0x75d4d770 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _exit, address_out = 0x75d8b2c0 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _c_exit, address_out = 0x75d8b2db True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _onexit, address_out = 0x75d3112d True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = __dllonexit, address_out = 0x75d2f509 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = memchr, address_out = 0x75d3e134 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _gmtime64, address_out = 0x75da2936 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strftime, address_out = 0x75da1fd5 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = 17, address_out = 0x72221739 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = ImageList_AddMasked, address_out = 0x72228b75 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = ImageList_SetImageCount, address_out = 0x72286e17 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = ImageList_Create, address_out = 0x7222908c True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = ImageList_ReplaceIcon, address_out = 0x72286ea3 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = CreateToolbarEx, address_out = 0x7224a4d5 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = CreateStatusWindowW, address_out = 0x7224a10f True 1
Fn
Get Address c:\windows\system32\version.dll function = GetFileVersionInfoSizeW, address_out = 0x74d919d9 True 1
Fn
Get Address c:\windows\system32\version.dll function = GetFileVersionInfoW, address_out = 0x74d919f4 True 1
Fn
Get Address c:\windows\system32\version.dll function = VerQueryValueW, address_out = 0x74d91b51 True 1
Fn
Get Address c:\windows\system32\wininet.dll function = FindCloseUrlCache, address_out = 0x75c68409 True 1
Fn
Get Address c:\windows\system32\wininet.dll function = FindNextUrlCacheEntryW, address_out = 0x75c5989c True 1
Fn
Get Address c:\windows\system32\wininet.dll function = FindFirstUrlCacheEntryW, address_out = 0x75c5978a True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFullPathNameA, address_out = 0x75b93735 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = DeleteFileA, address_out = 0x75b847cb True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetDiskFreeSpaceW, address_out = 0x75b73530 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFullPathNameW, address_out = 0x75b94543 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = AreFileApisANSI, address_out = 0x75bcf311 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = EnterCriticalSection, address_out = 0x777377a0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetSystemTime, address_out = 0x75b8ced8 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LockFileEx, address_out = 0x75ba692f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FormatMessageA, address_out = 0x75ba8868 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetSystemTimeAsFileTime, address_out = 0x75b92fde True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = UnlockFileEx, address_out = 0x75ba6947 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTickCount, address_out = 0x75b8ba60 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LockFile, address_out = 0x75ba642f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FlushFileBuffers, address_out = 0x75b77f81 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = InitializeCriticalSection, address_out = 0x7774a149 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileA, address_out = 0x75b8cee8 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetDiskFreeSpaceA, address_out = 0x75b9d7d2 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Sleep, address_out = 0x75b8ba46 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleHandleA, address_out = 0x75b8cf41 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetStartupInfoW, address_out = 0x75b93891 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTempPathA, address_out = 0x75ba6a65 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = UnlockFile, address_out = 0x75ba6417 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = InterlockedCompareExchange, address_out = 0x75b8bb92 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = DeleteCriticalSection, address_out = 0x77749ac5 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesExW, address_out = 0x75b8273d True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = QueryPerformanceCounter, address_out = 0x75b8bb9f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesA, address_out = 0x75b91de6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LeaveCriticalSection, address_out = 0x77737760 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetEndOfFile, address_out = 0x75b82319 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetSystemInfo, address_out = 0x75b93728 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = EnumResourceTypesW, address_out = 0x75ba2b37 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LocalFree, address_out = 0x75b8ca64 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSize, address_out = 0x75b80273 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SystemTimeToFileTime, address_out = 0x75b8cecb True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseHandle, address_out = 0x75b8ca7c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FileTimeToLocalFileTime, address_out = 0x75b92004 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = DeleteFileW, address_out = 0x75b80f62 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileW, address_out = 0x75b767c3 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileW, address_out = 0x75b8cc56 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CompareFileTime, address_out = 0x75b913f3 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeLibrary, address_out = 0x75b8d9d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadLibraryW, address_out = 0x75b93c01 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetProcAddress, address_out = 0x75b933d3 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLastError, address_out = 0x75b8bf00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FileTimeToSystemTime, address_out = 0x75b91dfe True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointerEx, address_out = 0x75b7f5b2 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentDirectoryW, address_out = 0x75b9c13a True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ExpandEnvironmentStringsW, address_out = 0x75b84680 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WideCharToMultiByte, address_out = 0x75b9450e True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = MultiByteToWideChar, address_out = 0x75b9452b True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GlobalLock, address_out = 0x75b89e05 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetDateFormatW, address_out = 0x75b8afab True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileTime, address_out = 0x75b80f6f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FormatMessageW, address_out = 0x75b854a3 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTempFileNameW, address_out = 0x75b76d1d True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetVersionExW, address_out = 0x75b83b1a True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindClose, address_out = 0x75b90e62 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindFirstFileW, address_out = 0x75b953b2 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleHandleW, address_out = 0x75b9374d True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTimeFormatW, address_out = 0x75b8ac29 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointer, address_out = 0x75b8db36 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesW, address_out = 0x75b964ff True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetWindowsDirectoryW, address_out = 0x75b804b6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ReadFile, address_out = 0x75b896fb True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameW, address_out = 0x75b93c26 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WriteFile, address_out = 0x75b91400 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindResourceW, address_out = 0x75b83e61 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LockResource, address_out = 0x75b7fd29 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = lstrcpyW, address_out = 0x75b78bfa True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = lstrlenW, address_out = 0x75b8d9e8 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadResource, address_out = 0x75b8984d True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SystemTimeToTzSpecificLocalTime, address_out = 0x75b7b149 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadLibraryExW, address_out = 0x75b84775 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GlobalAlloc, address_out = 0x75b89ce1 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GlobalUnlock, address_out = 0x75b89d50 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTempPathW, address_out = 0x75b78b33 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindNextFileW, address_out = 0x75b8963a True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SizeofResource, address_out = 0x75b83e7f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileMappingW, address_out = 0x75b80a7f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = MapViewOfFile, address_out = 0x75b8899b True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = UnmapViewOfFile, address_out = 0x75b8db13 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentProcess, address_out = 0x75b8cdcf True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = DuplicateHandle, address_out = 0x75b8cdd9 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentProcessId, address_out = 0x75b8cac4 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = OpenProcess, address_out = 0x75b859d7 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetPrivateProfileStringW, address_out = 0x75b77d32 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WritePrivateProfileStringW, address_out = 0x75b780eb True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetPrivateProfileIntW, address_out = 0x75b7775f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = EnumResourceNamesW, address_out = 0x75ba7e29 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetStdHandle, address_out = 0x75b91e46 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetErrorMode, address_out = 0x75b94a51 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ExitProcess, address_out = 0x75b9214f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ReadProcessMemory, address_out = 0x75b7c1ce True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetCurrentDirectoryW, address_out = 0x75b97663 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Process32FirstW, address_out = 0x75b7fa35 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = Process32NextW, address_out = 0x75b7faca True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateToolhelp32Snapshot, address_out = 0x75b7f731 True 1
Fn
Get Address c:\windows\system32\user32.dll function = DispatchMessageW, address_out = 0x764ccc61 True 1
Fn
Get Address c:\windows\system32\user32.dll function = BeginDeferWindowPos, address_out = 0x764ba6a6 True 1
Fn
Get Address c:\windows\system32\user32.dll function = TranslateMessage, address_out = 0x764c64c7 True 1
Fn
Get Address c:\windows\system32\user32.dll function = IsDialogMessageW, address_out = 0x764c4104 True 1
Fn
Get Address c:\windows\system32\user32.dll function = DrawTextExW, address_out = 0x764c5894 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetMessageW, address_out = 0x764ccde8 True 1
Fn
Get Address c:\windows\system32\user32.dll function = PostQuitMessage, address_out = 0x764bb308 True 1
Fn
Get Address c:\windows\system32\user32.dll function = TrackPopupMenu, address_out = 0x764d2228 True 1
Fn
Get Address c:\windows\system32\user32.dll function = RegisterWindowMessageW, address_out = 0x764bdf8d True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetKeyState, address_out = 0x764c2b4d True 1
Fn
Get Address c:\windows\system32\user32.dll function = EndDeferWindowPos, address_out = 0x764ba67a True 1
Fn
Get Address c:\windows\system32\user32.dll function = DialogBoxParamW, address_out = 0x764d3b9b True 1
Fn
Get Address c:\windows\system32\user32.dll function = ChildWindowFromPoint, address_out = 0x764fb6aa True 1
Fn
Get Address c:\windows\system32\user32.dll function = LoadCursorW, address_out = 0x764bed90 True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetCursor, address_out = 0x764c3075 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetSysColorBrush, address_out = 0x764bf1ed True 1
Fn
Get Address c:\windows\system32\user32.dll function = ShowWindow, address_out = 0x764bf2a9 True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetWindowTextW, address_out = 0x764c612b True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetDlgItemInt, address_out = 0x764dec2e True 1
Fn
Get Address c:\windows\system32\user32.dll function = UpdateWindow, address_out = 0x764bffa8 True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetDlgItemTextW, address_out = 0x764debd4 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetDlgItemTextW, address_out = 0x764decbc True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetClientRect, address_out = 0x764c54dd True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetSystemMetrics, address_out = 0x764c67cf True 1
Fn
Get Address c:\windows\system32\user32.dll function = DeferWindowPos, address_out = 0x764ba6c8 True 1
Fn
Get Address c:\windows\system32\user32.dll function = CreateWindowExW, address_out = 0x764bec7c True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetWindowRect, address_out = 0x764c558c True 1
Fn
Get Address c:\windows\system32\user32.dll function = SendDlgItemMessageW, address_out = 0x764d70d8 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetDlgItemInt, address_out = 0x764ded56 True 1
Fn
Get Address c:\windows\system32\user32.dll function = EndDialog, address_out = 0x764e3ba3 True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetWindowLongW, address_out = 0x764c4449 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetDlgItem, address_out = 0x764e42bb True 1
Fn
Get Address c:\windows\system32\user32.dll function = InvalidateRect, address_out = 0x764c566d True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetWindowPlacement, address_out = 0x764e69de True 1
Fn
Get Address c:\windows\system32\user32.dll function = LoadAcceleratorsW, address_out = 0x764b976d True 1
Fn
Get Address c:\windows\system32\user32.dll function = DefWindowProcW, address_out = 0x764c507d True 1
Fn
Get Address c:\windows\system32\user32.dll function = SendMessageW, address_out = 0x764c5539 True 1
Fn
Get Address c:\windows\system32\user32.dll function = PostMessageW, address_out = 0x764c447b True 1
Fn
Get Address c:\windows\system32\user32.dll function = RegisterClassW, address_out = 0x764bed4a True 1
Fn
Get Address c:\windows\system32\user32.dll function = MessageBoxW, address_out = 0x7650ea5f True 1
Fn
Get Address c:\windows\system32\user32.dll function = TranslateAcceleratorW, address_out = 0x764c667e True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetMenu, address_out = 0x764e6b0e True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetWindowPlacement, address_out = 0x764b7f78 True 1
Fn
Get Address c:\windows\system32\user32.dll function = LoadImageW, address_out = 0x764c12eb True 1
Fn
Get Address c:\windows\system32\user32.dll function = LoadIconW, address_out = 0x764bf142 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetWindowLongW, address_out = 0x764c61b8 True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetFocus, address_out = 0x764babad True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetMenuStringW, address_out = 0x764e6528 True 1
Fn
Get Address c:\windows\system32\user32.dll function = CheckMenuItem, address_out = 0x764dee7c True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetMenuItemCount, address_out = 0x764bae39 True 1
Fn
Get Address c:\windows\system32\user32.dll function = CheckMenuRadioItem, address_out = 0x764d25df True 1
Fn
Get Address c:\windows\system32\user32.dll function = CloseClipboard, address_out = 0x764e446c True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetCursorPos, address_out = 0x764ba4b3 True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetClipboardData, address_out = 0x764d2962 True 1
Fn
Get Address c:\windows\system32\user32.dll function = EnableWindow, address_out = 0x764b8d02 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetSysColor, address_out = 0x764cdb7a True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetParent, address_out = 0x764c6029 True 1
Fn
Get Address c:\windows\system32\user32.dll function = MapWindowPoints, address_out = 0x764c5caa True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetMenu, address_out = 0x764e6b68 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetDC, address_out = 0x764c544c True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetSubMenu, address_out = 0x764b9c19 True 1
Fn
Get Address c:\windows\system32\user32.dll function = EmptyClipboard, address_out = 0x764d290c True 1
Fn
Get Address c:\windows\system32\user32.dll function = EnableMenuItem, address_out = 0x764e43bc True 1
Fn
Get Address c:\windows\system32\user32.dll function = ReleaseDC, address_out = 0x764c5421 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetClassNameW, address_out = 0x764c2a29 True 1
Fn
Get Address c:\windows\system32\user32.dll function = OpenClipboard, address_out = 0x764e447e True 1
Fn
Get Address c:\windows\system32\user32.dll function = MoveWindow, address_out = 0x764b8d29 True 1
Fn
Get Address c:\windows\system32\user32.dll function = CreateDialogParamW, address_out = 0x764e5630 True 1
Fn
Get Address c:\windows\system32\user32.dll function = EnumChildWindows, address_out = 0x764c2948 True 1
Fn
Get Address c:\windows\system32\user32.dll function = LoadStringW, address_out = 0x764bdfba True 1
Fn
Get Address c:\windows\system32\user32.dll function = DestroyWindow, address_out = 0x764bb2f4 True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetWindowPos, address_out = 0x764c1bc4 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetWindowTextW, address_out = 0x764bb8c5 True 1
Fn
Get Address c:\windows\system32\user32.dll function = LoadMenuW, address_out = 0x764bf214 True 1
Fn
Get Address c:\windows\system32\user32.dll function = ModifyMenuW, address_out = 0x764e46c7 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetMenuItemInfoW, address_out = 0x764baefa True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetDlgCtrlID, address_out = 0x764bb4e8 True 1
Fn
Get Address c:\windows\system32\user32.dll function = DestroyMenu, address_out = 0x764b87f7 True 1
Fn
Get Address c:\windows\system32\gdi32.dll function = SetBkColor, address_out = 0x76466a3c True 1
Fn
Get Address c:\windows\system32\gdi32.dll function = SelectObject, address_out = 0x76466640 True 1
Fn
Get Address c:\windows\system32\gdi32.dll function = GetDeviceCaps, address_out = 0x76466f7f True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = InitCommonControlsEx, address_out = 0x72226be6 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = SHGetSpecialFolderPathW, address_out = 0x767e0468 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptAcquireContextA, address_out = 0x760091dd True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptReleaseContext, address_out = 0x7600e124 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptCreateHash, address_out = 0x7600df4e True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptGetHashParam, address_out = 0x7600df7e True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptHashData, address_out = 0x7600df36 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDestroyHash, address_out = 0x7600df66 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CredReadA, address_out = 0x760471c1 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CredFree, address_out = 0x7600b2ec True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CredDeleteA, address_out = 0x76047941 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CredEnumerateA, address_out = 0x76047381 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CredEnumerateW, address_out = 0x76047481 True 1
Fn
Get Address c:\windows\system32\pstorec.dll function = PStoreCreateInstance, address_out = 0x7243526c True 1
Fn
Get Address c:\windows\system32\vaultcli.dll function = VaultOpenVault, address_out = 0x723c26a9 True 1
Fn
Get Address c:\windows\system32\vaultcli.dll function = VaultCloseVault, address_out = 0x723c2718 True 1
Fn
Get Address c:\windows\system32\vaultcli.dll function = VaultEnumerateItems, address_out = 0x723c3099 True 1
Fn
Get Address c:\windows\system32\vaultcli.dll function = VaultFree, address_out = 0x723c4321 True 1
Fn
Get Address c:\windows\system32\vaultcli.dll function = VaultGetInformation, address_out = 0x723c24c0 True 1
Fn
Get Address c:\windows\system32\vaultcli.dll function = VaultGetItem, address_out = 0x723c3242 True 2
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = NSS_Init, address_out = 0x7335d70b True 2
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = NSS_Shutdown, address_out = 0x7335d13c True 2
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = PK11_GetInternalKeySlot, address_out = 0x732f3c51 True 2
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = PK11_FreeSlot, address_out = 0x732f3333 True 2
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = PK11_CheckUserPassword, address_out = 0x732dcbc4 True 2
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = PK11_Authenticate, address_out = 0x732dd3ca True 2
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = PK11SDR_Decrypt, address_out = 0x732f00a7 True 2
Fn
Get Address c:\windows\system32\psapi.dll function = GetModuleBaseNameW, address_out = 0x7783152c True 1
Fn
Get Address c:\windows\system32\psapi.dll function = EnumProcessModules, address_out = 0x77831408 True 1
Fn
Get Address c:\windows\system32\psapi.dll function = GetModuleFileNameExW, address_out = 0x778313f0 True 1
Fn
Get Address c:\windows\system32\psapi.dll function = EnumProcesses, address_out = 0x77831544 True 1
Fn
Get Address c:\windows\system32\psapi.dll function = GetModuleInformation, address_out = 0x77831420 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetProcessTimes, address_out = 0x75b7f626 True 1
Fn
System (3)
+
Operation Additional Information Success Count Logfile
Get Info type = Operating System False 2
Fn
Get Info type = Hardware Information True 1
Fn
Ini (28)
+
Operation Filename Additional Information Success Count Logfile
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = ShowGridLines, default_value = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = SaveFilterIndex, default_value = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = ShowInfoTip, default_value = 1 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = MarkOddEvenRows, default_value = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = ShowTimeInGMT, default_value = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = LoadPasswordsIE, default_value = 1 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = LoadPasswordsFirefox, default_value = 1 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = LoadPasswordsChrome, default_value = 1 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = LoadPasswordsOpera, default_value = 1 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = LoadPasswordsSafari, default_value = 1 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = LoadPasswordsSeaMonkey, default_value = 1 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = LoadPasswordsYandex, default_value = 1 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = UseFirefoxProfileFolder, default_value = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = UseFirefoxInstallFolder, default_value = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = UseChromeProfileFolder, default_value = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = UseOperaPasswordFile, default_value = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = FirefoxProfileFolder False 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = FirefoxInstallFolder False 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = ChromeProfileFolder False 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = OperaPasswordFile False 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = SaveFileEncoeding, default_value = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = WinPos False 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = Columns False 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = Sort, default_value = 0 True 1
Fn
Read C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\profiles.ini section_name = Profile0, key_name = Path, data_out = Profiles/h231daer.default True 1
Fn
Read C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\profiles.ini section_name = Profile0, key_name = IsRelative, default_value = 0 True 1
Fn
Read C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\profiles.ini section_name = Profile1, key_name = Path False 1
Fn
Read C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\profiles.ini section_name = Profile1, key_name = IsRelative, default_value = 0 True 1
Fn
Process #14: regsvcs.exe
(Host: 337, Network: 0)
+
Information Value
ID #14
File Name c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
Command Line C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:09, Reason: Child Process
Unmonitor End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration 00:01:02
OS Process Information
+
Information Value
PID 0x514
Parent PID 0x328 (c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username CRH2YWU7\EEBsYm5
Groups
  • CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000ee71 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 510
0x 674
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False
private_0x0000000000050000 0x00050000 0x00050fff Private Memory Readable, Writable True False False
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable, Writable True False False
tzres.dll 0x00070000 0x00070fff Memory Mapped File Readable False False False
pagefile_0x0000000000080000 0x00080000 0x00086fff Pagefile Backed Memory Readable True False False
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory Readable, Writable True False False
locale.nls 0x00190000 0x001f6fff Memory Mapped File Readable False False False
pagefile_0x0000000000200000 0x00200000 0x002c7fff Pagefile Backed Memory Readable True False False
private_0x00000000002d0000 0x002d0000 0x003cffff Private Memory Readable, Writable True False False
pagefile_0x00000000003d0000 0x003d0000 0x003d1fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000400000 0x00400000 0x00423fff Private Memory Readable, Writable, Executable True False False
pagefile_0x0000000000430000 0x00430000 0x00530fff Pagefile Backed Memory Readable True False False
private_0x0000000000540000 0x00540000 0x0054ffff Private Memory Readable, Writable True False False
private_0x0000000000550000 0x00550000 0x0064ffff Private Memory Readable, Writable True False False
private_0x0000000000680000 0x00680000 0x0068ffff Private Memory Readable, Writable True False False
rsaenh.dll 0x00690000 0x006cbfff Memory Mapped File Readable False False False
private_0x0000000000730000 0x00730000 0x0082ffff Private Memory Readable, Writable True False False
sortdefault.nls 0x00830000 0x00afefff Memory Mapped File Readable False False False
private_0x0000000000b00000 0x00b00000 0x00ceffff Private Memory Readable, Writable True False False
private_0x0000000000b00000 0x00b00000 0x00bfffff Private Memory Readable, Writable True False False
private_0x0000000000cb0000 0x00cb0000 0x00ceffff Private Memory Readable, Writable True False False
regsvcs.exe 0x00d30000 0x00d3dfff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000000d40000 0x00d40000 0x0193ffff Pagefile Backed Memory Readable True False False
private_0x0000000001940000 0x01940000 0x01b1ffff Private Memory Readable, Writable True False False
private_0x0000000001940000 0x01940000 0x01a3ffff Private Memory Readable, Writable True False False
private_0x0000000001a00000 0x01a00000 0x01afffff Private Memory Readable, Writable True False False
private_0x0000000001b10000 0x01b10000 0x01b1ffff Private Memory Readable, Writable True False False
pagefile_0x0000000001b20000 0x01b20000 0x01f12fff Pagefile Backed Memory Readable True False False
msvcp100.dll 0x6e240000 0x6e2a8fff Memory Mapped File Readable, Writable, Executable False False False
msvcr100.dll 0x6e2b0000 0x6e36dfff Memory Mapped File Readable, Writable, Executable False False False
nss3.dll 0x6e370000 0x6e524fff Memory Mapped File Readable, Writable, Executable False False False
winmm.dll 0x6ec80000 0x6ecb1fff Memory Mapped File Readable, Writable, Executable False False False
softokn3.dll 0x6f020000 0x6f046fff Memory Mapped File Readable, Writable, Executable False False False
mozglue.dll 0x6f050000 0x6f071fff Memory Mapped File Readable, Writable, Executable False False False
wsock32.dll 0x721d0000 0x721d6fff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x72220000 0x722a3fff Memory Mapped File Readable, Writable, Executable False False False
freebl3.dll 0x73f10000 0x73f5efff Memory Mapped File Readable, Writable, Executable False False False
nssdbm3.dll 0x73fe0000 0x73ff6fff Memory Mapped File Readable, Writable, Executable False False False
rsaenh.dll 0x750b0000 0x750eafff Memory Mapped File Readable, Writable, Executable False False False
cryptsp.dll 0x75310000 0x75325fff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x75770000 0x7578afff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x75790000 0x7579bfff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x758b0000 0x758bbfff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x75910000 0x75a2cfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75a30000 0x75a79fff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x75b40000 0x75c13fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x75d20000 0x75dcbfff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x76000000 0x7609ffff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x760a0000 0x7616bfff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x76170000 0x762cbfff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x76360000 0x76400fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x76460000 0x764adfff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x764b0000 0x76578fff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x76580000 0x76589fff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x76590000 0x765e6fff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x76650000 0x76655fff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x76660000 0x7667efff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x76720000 0x767bcfff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x767c0000 0x77409fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x776f0000 0x7782bfff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x77840000 0x77858fff Memory Mapped File Readable, Writable, Executable False False False
comdlg32.dll 0x77860000 0x778dafff Memory Mapped File Readable, Writable, Executable False False False
ws2_32.dll 0x778e0000 0x77914fff Memory Mapped File Readable, Writable, Executable False False False
apisetschema.dll 0x77930000 0x77930fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False
private_0x000000007ffd8000 0x7ffd8000 0x7ffd8fff Private Memory Readable, Writable True False False
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True False False
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Modify Memory #11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0x530 address = 0x400000, size = 512 True 1
Fn
Data
Modify Memory #11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0x530 address = 0x401000, size = 54784 True 1
Fn
Data
Modify Memory #11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0x530 address = 0x422000, size = 3584 True 1
Fn
Data
Modify Memory #11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0x530 address = 0x423000, size = 4096 True 1
Fn
Data
Modify Memory #11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0x530 address = 0x7ffd8008, size = 4 True 1
Fn
Data
Modify Control Flow #11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0x530 os_tid = 0x510, address = 0x77737098 True 1
Fn
Created Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\eebsym5\appdata\local\temp\wqnqmshpoxvbxmnplxmoexxv 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
Host Behavior
File (16)
+
Operation Filename Additional Information Success Count Logfile
Create C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\places.sqlite desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Temp\wqnqmshpoxvbxmnplxmoexxv desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs_lng.ini type = file_attributes False 1
Fn
Get Info trillian type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Trillian\users\global type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Profiles type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\.gaim type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\.purple type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Miranda type = file_attributes False 1
Fn
Get Info type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\MySpace\IM\users.txt type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Digsby\digsby.dat type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\history.dat type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\places.sqlite type = file_attributes True 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Firefox\Profiles\h231daer.default\places.sqlite type = time True 1
Fn
Get Info C:\Program Files\Mozilla Firefox\nss3.dll type = file_attributes True 1
Fn
Registry (28)
+
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Miranda False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\MessengerService False 3
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL False 1
Fn
Open Key HKEY_CURRENT_USER\Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users False 1
Fn
Open Key HKEY_CURRENT_USER\Software\America Online\AIM6\Passwords False 1
Fn
Open Key HKEY_CURRENT_USER\Software\AIM\AIMPRO False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Yahoo\Pager False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mirabilis\ICQ\NewOwners False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Mirabilis\ICQ\NewOwners False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Paltalk False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\bin False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion value_name = ProgramFilesDir, data = C:\Program Files, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 25.0\bin value_name = PathToExe, data = C:\Program Files\Mozilla Firefox\firefox.exe, type = REG_SZ True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla True 1
Fn
Enumerate Keys HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla False 1
Fn
Module (272)
+
Operation Module Additional Information Success Count Logfile
Load comctl32.dll base_address = 0x72220000 True 1
Fn
Load shell32.dll base_address = 0x767c0000 True 1
Fn
Load advapi32.dll base_address = 0x76000000 True 4
Fn
Load crypt32.dll base_address = 0x75910000 True 1
Fn
Load C:\Program Files\Mozilla Firefox\nss3.dll base_address = 0x6e370000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x75b40000 True 3
Fn
Get Handle c:\windows\system32\msvcrt.dll base_address = 0x75d20000 True 1
Fn
Get Handle c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll base_address = 0x72220000 True 1
Fn
Get Handle c:\windows\system32\user32.dll base_address = 0x764b0000 True 1
Fn
Get Handle c:\windows\system32\gdi32.dll base_address = 0x76460000 True 1
Fn
Get Handle c:\windows\system32\comdlg32.dll base_address = 0x77860000 True 1
Fn
Get Handle c:\windows\system32\advapi32.dll base_address = 0x76000000 True 1
Fn
Get Handle c:\windows\system32\shell32.dll base_address = 0x767c0000 True 1
Fn
Get Handle c:\windows\system32\ole32.dll base_address = 0x76170000 True 1
Fn
Get Handle private_0x0000000000400000 base_address = 0x400000 True 2
Fn
Get Filename process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260 True 2
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualProtect, address_out = 0x75b82341 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = free, address_out = 0x75d29894 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _strlwr, address_out = 0x75d3ca0b True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _strupr, address_out = 0x75d3d49e True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _wcslwr, address_out = 0x75d2fb25 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = qsort, address_out = 0x75d2d3e6 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _wcsnicmp, address_out = 0x75d2aae3 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strncmp, address_out = 0x75d2b443 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = __dllonexit, address_out = 0x75d2f509 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _onexit, address_out = 0x75d3112d True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _c_exit, address_out = 0x75d8b2db True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _exit, address_out = 0x75d8b2c0 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _XcptFilter, address_out = 0x75d4dc75 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _cexit, address_out = 0x75d337d4 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = exit, address_out = 0x75d336aa True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _acmdln, address_out = 0x75dc04d8 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strrchr, address_out = 0x75d2dbae True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _initterm, address_out = 0x75d2c151 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = __setusermatherr, address_out = 0x75db77ad True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strchr, address_out = 0x75d2dbeb True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _ultoa, address_out = 0x75d71822 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = malloc, address_out = 0x75d29cee True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _memicmp, address_out = 0x75d306c8 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strcmp, address_out = 0x75d38b11 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _mbsnbicmp, address_out = 0x75d83480 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _mbsrchr, address_out = 0x75d38e5b True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _snprintf, address_out = 0x75d4fa7c True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = memset, address_out = 0x75d29790 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _strnicmp, address_out = 0x75d30578 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = wcschr, address_out = 0x75d2aa61 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = wcsncmp, address_out = 0x75d2b05e True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = wcslen, address_out = 0x75d3d335 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = abs, address_out = 0x75d4eb1e True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = sprintf, address_out = 0x75d3d354 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = atoi, address_out = 0x75d2dbe0 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = memcmp, address_out = 0x75d37975 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = __getmainargs, address_out = 0x75d32bc0 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _strcmpi, address_out = 0x75d2db38 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _mbsicmp, address_out = 0x75d39238 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _purecall, address_out = 0x75d86ea9 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = log, address_out = 0x75d4de50 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _mbscmp, address_out = 0x75d483c0 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = ??2@YAPAXI@Z, address_out = 0x75d2b0c9 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = ??3@YAXPAX@Z, address_out = 0x75d2b0b9 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strlen, address_out = 0x75d343d3 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _itoa, address_out = 0x75d44218 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strcpy, address_out = 0x75d38d6e True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strtoul, address_out = 0x75d3012e True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = memcpy, address_out = 0x75d29910 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = wcscpy, address_out = 0x75d3d4f8 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strcat, address_out = 0x75d38d75 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strncat, address_out = 0x75d50909 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _adjust_fdiv, address_out = 0x75dc32ec True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = __p__commode, address_out = 0x75d327c3 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = __p__fmode, address_out = 0x75d327ce True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = __set_app_type, address_out = 0x75d32804 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _controlfp, address_out = 0x75d2e1e1 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _except_handler3, address_out = 0x75d4d770 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = 6, address_out = 0x7224a14c True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = ImageList_Create, address_out = 0x7222908c True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = ImageList_ReplaceIcon, address_out = 0x72286ea3 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = 17, address_out = 0x72221739 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = ImageList_AddMasked, address_out = 0x72228b75 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = ImageList_SetImageCount, address_out = 0x72286e17 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = CreateToolbarEx, address_out = 0x7224a4d5 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetCurrentDirectoryA, address_out = 0x75b8903d True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ExitProcess, address_out = 0x75b9214f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentProcessId, address_out = 0x75b8cac4 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentProcess, address_out = 0x75b8cdcf True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CompareFileTime, address_out = 0x75b913f3 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetVolumeInformationA, address_out = 0x75ba41aa True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetStdHandle, address_out = 0x75b91e46 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetPrivateProfileStringA, address_out = 0x75b7d8d7 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetPrivateProfileIntA, address_out = 0x75b7dc43 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = EnumResourceNamesA, address_out = 0x75ba5a34 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WritePrivateProfileStringA, address_out = 0x75b9d763 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetComputerNameA, address_out = 0x75b76ba9 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTempPathA, address_out = 0x75ba6a65 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetSystemDirectoryA, address_out = 0x75b88fc5 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetWindowsDirectoryA, address_out = 0x75ba5d02 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateRemoteThread, address_out = 0x75bcf33b True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindResourceA, address_out = 0x75b8a05b True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = EnumResourceTypesA, address_out = 0x75bccb42 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LockResource, address_out = 0x75b7fd29 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetStartupInfoA, address_out = 0x75b41e10 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = DeleteFileA, address_out = 0x75b847cb True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadResource, address_out = 0x75b8984d True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SizeofResource, address_out = 0x75b83e7f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WideCharToMultiByte, address_out = 0x75b9450e True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetProcAddress, address_out = 0x75b933d3 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleHandleA, address_out = 0x75b8cf41 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeLibrary, address_out = 0x75b8d9d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = MultiByteToWideChar, address_out = 0x75b9452b True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WriteFile, address_out = 0x75b91400 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadLibraryA, address_out = 0x75b9395c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ReadProcessMemory, address_out = 0x75b7c1ce True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WaitForSingleObject, address_out = 0x75b8ba90 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseHandle, address_out = 0x75b8ca7c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LocalFree, address_out = 0x75b8ca64 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WriteProcessMemory, address_out = 0x75b7c1de True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ResumeThread, address_out = 0x75b80f1c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualAllocEx, address_out = 0x75b7c1b6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = OpenProcess, address_out = 0x75b859d7 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSize, address_out = 0x75b80273 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualFreeEx, address_out = 0x75b7c1ee True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentDirectoryA, address_out = 0x75b7733c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ExpandEnvironmentStringsA, address_out = 0x75b78a5b True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GlobalAlloc, address_out = 0x75b89ce1 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameA, address_out = 0x75b933f6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GlobalLock, address_out = 0x75b89e05 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GlobalUnlock, address_out = 0x75b89d50 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindNextFileA, address_out = 0x75b8a187 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadLibraryExA, address_out = 0x75b847fa True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindFirstFileA, address_out = 0x75b92d89 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileA, address_out = 0x75b8cee8 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLastError, address_out = 0x75b8bf00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileTime, address_out = 0x75b80f6f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointer, address_out = 0x75b8db36 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesA, address_out = 0x75b91de6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTempFileNameA, address_out = 0x75ba695f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindClose, address_out = 0x75b90e62 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetVersionExA, address_out = 0x75b93861 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FormatMessageA, address_out = 0x75ba8868 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ReadFile, address_out = 0x75b896fb True 1
Fn
Get Address c:\windows\system32\user32.dll function = CopyRect, address_out = 0x764c4ad9 True 1
Fn
Get Address c:\windows\system32\user32.dll function = DrawTextExA, address_out = 0x764dae60 True 1
Fn
Get Address c:\windows\system32\user32.dll function = DispatchMessageA, address_out = 0x764c2e32 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetMessageA, address_out = 0x764c1899 True 1
Fn
Get Address c:\windows\system32\user32.dll function = IsDialogMessageA, address_out = 0x764d2019 True 1
Fn
Get Address c:\windows\system32\user32.dll function = DeferWindowPos, address_out = 0x764ba6c8 True 1
Fn
Get Address c:\windows\system32\user32.dll function = TranslateMessage, address_out = 0x764c64c7 True 1
Fn
Get Address c:\windows\system32\user32.dll function = BeginDeferWindowPos, address_out = 0x764ba6a6 True 1
Fn
Get Address c:\windows\system32\user32.dll function = PostQuitMessage, address_out = 0x764bb308 True 1
Fn
Get Address c:\windows\system32\user32.dll function = TrackPopupMenu, address_out = 0x764d2228 True 1
Fn
Get Address c:\windows\system32\user32.dll function = EndDeferWindowPos, address_out = 0x764ba67a True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetFocus, address_out = 0x764c3a34 True 1
Fn
Get Address c:\windows\system32\user32.dll function = RegisterWindowMessageA, address_out = 0x764bc091 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetWindowTextA, address_out = 0x764b6eed True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetMenuItemInfoA, address_out = 0x764b856a True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetCursor, address_out = 0x764c3075 True 1
Fn
Get Address c:\windows\system32\user32.dll function = ChildWindowFromPoint, address_out = 0x764fb6aa True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetSysColorBrush, address_out = 0x764bf1ed True 1
Fn
Get Address c:\windows\system32\user32.dll function = SendMessageA, address_out = 0x764bad60 True 1
Fn
Get Address c:\windows\system32\user32.dll function = LoadCursorA, address_out = 0x764b8328 True 1
Fn
Get Address c:\windows\system32\user32.dll function = MessageBoxA, address_out = 0x7650ea11 True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetDlgItemTextA, address_out = 0x764d707a True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetDlgItemTextA, address_out = 0x76513d14 True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetWindowTextA, address_out = 0x764e0c5b True 1
Fn
Get Address c:\windows\system32\user32.dll function = EndDialog, address_out = 0x764e3ba3 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetDlgItem, address_out = 0x764e42bb True 1
Fn
Get Address c:\windows\system32\user32.dll function = CreateWindowExA, address_out = 0x764bbf40 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetWindowRect, address_out = 0x764c558c True 1
Fn
Get Address c:\windows\system32\user32.dll function = RegisterClassA, address_out = 0x764bbc6a True 1
Fn
Get Address c:\windows\system32\user32.dll function = UpdateWindow, address_out = 0x764bffa8 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetSystemMetrics, address_out = 0x764c67cf True 1
Fn
Get Address c:\windows\system32\user32.dll function = PostMessageA, address_out = 0x764bb446 True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetMenu, address_out = 0x764e6b0e True 1
Fn
Get Address c:\windows\system32\user32.dll function = ShowWindow, address_out = 0x764bf2a9 True 1
Fn
Get Address c:\windows\system32\user32.dll function = LoadAcceleratorsA, address_out = 0x764dae02 True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetWindowPos, address_out = 0x764c1bc4 True 1
Fn
Get Address c:\windows\system32\user32.dll function = DefWindowProcA, address_out = 0x764bbb1c True 1
Fn
Get Address c:\windows\system32\user32.dll function = TranslateAcceleratorA, address_out = 0x764e133f True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetWindowPlacement, address_out = 0x764e69de True 1
Fn
Get Address c:\windows\system32\user32.dll function = LoadIconA, address_out = 0x764b64ad True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetWindowLongA, address_out = 0x764ba95e True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetWindowLongA, address_out = 0x764b8ba3 True 1
Fn
Get Address c:\windows\system32\user32.dll function = InvalidateRect, address_out = 0x764c566d True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetFocus, address_out = 0x764babad True 1
Fn
Get Address c:\windows\system32\user32.dll function = MapDialogRect, address_out = 0x764e347a True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetRect, address_out = 0x764c498b True 1
Fn
Get Address c:\windows\system32\user32.dll function = OpenClipboard, address_out = 0x764e447e True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetDC, address_out = 0x764c544c True 1
Fn
Get Address c:\windows\system32\user32.dll function = EmptyClipboard, address_out = 0x764d290c True 1
Fn
Get Address c:\windows\system32\user32.dll function = EnableMenuItem, address_out = 0x764e43bc True 1
Fn
Get Address c:\windows\system32\user32.dll function = ReleaseDC, address_out = 0x764c5421 True 1
Fn
Get Address c:\windows\system32\user32.dll function = MoveWindow, address_out = 0x764b8d29 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetMenuItemCount, address_out = 0x764bae39 True 1
Fn
Get Address c:\windows\system32\user32.dll function = CheckMenuItem, address_out = 0x764dee7c True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetClientRect, address_out = 0x764c54dd True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetMenuStringA, address_out = 0x76513a16 True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetClipboardData, address_out = 0x764d2962 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetCursorPos, address_out = 0x764ba4b3 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetClassNameA, address_out = 0x764e2445 True 1
Fn
Get Address c:\windows\system32\user32.dll function = CloseClipboard, address_out = 0x764e446c True 1
Fn
Get Address c:\windows\system32\user32.dll function = MapWindowPoints, address_out = 0x764c5caa True 1
Fn
Get Address c:\windows\system32\user32.dll function = LoadImageA, address_out = 0x764d7779 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetSysColor, address_out = 0x764cdb7a True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetMenu, address_out = 0x764e6b68 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetSubMenu, address_out = 0x764b9c19 True 1
Fn
Get Address c:\windows\system32\user32.dll function = LoadMenuA, address_out = 0x764cf92c True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetParent, address_out = 0x764c6029 True 1
Fn
Get Address c:\windows\system32\user32.dll function = LoadStringA, address_out = 0x764b66a7 True 1
Fn
Get Address c:\windows\system32\user32.dll function = CreateDialogParamA, address_out = 0x764d1f42 True 1
Fn
Get Address c:\windows\system32\user32.dll function = ModifyMenuA, address_out = 0x76513ae0 True 1
Fn
Get Address c:\windows\system32\user32.dll function = DestroyWindow, address_out = 0x764bb2f4 True 1
Fn
Get Address c:\windows\system32\user32.dll function = DialogBoxParamA, address_out = 0x764fcf42 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetDlgCtrlID, address_out = 0x764bb4e8 True 1
Fn
Get Address c:\windows\system32\user32.dll function = DestroyMenu, address_out = 0x764b87f7 True 1
Fn
Get Address c:\windows\system32\user32.dll function = EnumChildWindows, address_out = 0x764c2948 True 1
Fn
Get Address c:\windows\system32\gdi32.dll function = SelectObject, address_out = 0x76466640 True 1
Fn
Get Address c:\windows\system32\gdi32.dll function = SetTextColor, address_out = 0x76466906 True 1
Fn
Get Address c:\windows\system32\gdi32.dll function = CreateFontIndirectA, address_out = 0x7646d22d True 1
Fn
Get Address c:\windows\system32\gdi32.dll function = SetBkMode, address_out = 0x764669b1 True 1
Fn
Get Address c:\windows\system32\gdi32.dll function = DeleteObject, address_out = 0x76465f14 True 1
Fn
Get Address c:\windows\system32\gdi32.dll function = GetTextExtentPoint32A, address_out = 0x764707b0 True 1
Fn
Get Address c:\windows\system32\gdi32.dll function = SetBkColor, address_out = 0x76466a3c True 1
Fn
Get Address c:\windows\system32\gdi32.dll function = GetDeviceCaps, address_out = 0x76466f7f True 1
Fn
Get Address c:\windows\system32\comdlg32.dll function = GetSaveFileNameA, address_out = 0x7789a353 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x76014907 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegEnumKeyExA, address_out = 0x76011481 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x760148ef True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegEnumKeyA, address_out = 0x7602a299 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExW, address_out = 0x7601468d True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegDeleteKeyA, address_out = 0x7602a8b7 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegEnumValueA, address_out = 0x7600cf49 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameA, address_out = 0x7602a4b4 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegEnumValueW, address_out = 0x760148cc True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7601469d True 1
Fn
Get Address c:\windows\system32\shell32.dll function = SHGetPathFromIDListA, address_out = 0x768e1c24 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = SHGetMalloc, address_out = 0x767e0602 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = SHBrowseForFolderA, address_out = 0x76a0dc6a True 1
Fn
Get Address c:\windows\system32\shell32.dll function = ShellExecuteA, address_out = 0x76a07078 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoInitialize, address_out = 0x7618b636 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoUninitialize, address_out = 0x761b86d3 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = InitCommonControlsEx, address_out = 0x72226be6 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = SHGetSpecialFolderPathA, address_out = 0x76a0fb26 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = OpenProcessToken, address_out = 0x76014304 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = LookupPrivilegeValueA, address_out = 0x7601404a True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = AdjustTokenPrivileges, address_out = 0x7601418e True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CredReadW, address_out = 0x760472a1 True 2
Fn
Get Address c:\windows\system32\advapi32.dll function = CredFree, address_out = 0x7600b2ec True 2
Fn
Get Address c:\windows\system32\advapi32.dll function = CredEnumerateW, address_out = 0x76047481 True 2
Fn
Get Address c:\windows\system32\crypt32.dll function = CryptUnprotectData, address_out = 0x75945a7f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x75b83ea8 True 1
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = NSS_Init, address_out = 0x6e42d70b True 1
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = NSS_Shutdown, address_out = 0x6e42d13c True 1
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = PK11_GetInternalKeySlot, address_out = 0x6e3c3c51 True 1
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = PK11_FreeSlot, address_out = 0x6e3c3333 True 1
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = PK11_Authenticate, address_out = 0x6e3ad3ca True 1
Fn
Get Address c:\program files\mozilla firefox\nss3.dll function = PK11SDR_Decrypt, address_out = 0x6e3c00a7 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptAcquireContextA, address_out = 0x760091dd True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptReleaseContext, address_out = 0x7600e124 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptCreateHash, address_out = 0x7600df4e True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptGetHashParam, address_out = 0x7600df7e True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptHashData, address_out = 0x7600df36 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = CryptDestroyHash, address_out = 0x7600df66 True 1
Fn
System (3)
+
Operation Additional Information Success Count Logfile
Get Computer Name result_out = CRH2YWU7 True 1
Fn
Get Info type = Operating System False 1
Fn
Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Ini (14)
+
Operation Filename Additional Information Success Count Logfile
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = ShowGridLines, default_value = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = SaveFilterIndex, default_value = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = AddExportHeaderLine, default_value = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = MarkOddEvenRows, default_value = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = Folder0 False 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = Folder1 False 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = Folder2 False 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = Folder3 False 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = Folder4 False 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = Folder5 False 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = Folder6 False 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = WinPos False 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = Columns False 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = Sort, default_value = 0 True 1
Fn
Debug (1)
+
Operation Process Additional Information Success Count Logfile
Check for Presence c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe True 1
Fn
Process #15: regsvcs.exe
(Host: 430, Network: 0)
+
Information Value
ID #15
File Name c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
Command Line C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe /stext "C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:09, Reason: Child Process
Unmonitor End Time: 00:02:11, Reason: Terminated by Timeout
Monitor Duration 00:01:02
OS Process Information
+
Information Value
PID 0x36c
Parent PID 0x328 (c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username CRH2YWU7\EEBsYm5
Groups
  • CRH2YWU7\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000ee71 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 45C
0x 66C
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000040000 0x00040000 0x00040fff Pagefile Backed Memory Readable True False False
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory Readable, Writable True False False
pagefile_0x00000000000d0000 0x000d0000 0x000d0fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000150000 0x00150000 0x0024ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000250000 0x00250000 0x00317fff Pagefile Backed Memory Readable True False False
private_0x0000000000400000 0x00400000 0x0041dfff Private Memory Readable, Writable, Executable True False False
pagefile_0x0000000000420000 0x00420000 0x00520fff Pagefile Backed Memory Readable True False False
private_0x00000000005f0000 0x005f0000 0x006effff Private Memory Readable, Writable True False False
private_0x00000000007d0000 0x007d0000 0x007dffff Private Memory Readable, Writable True False False
private_0x00000000008c0000 0x008c0000 0x008cffff Private Memory Readable, Writable True False False
private_0x00000000008d0000 0x008d0000 0x009cffff Private Memory Readable, Writable True False False
sortdefault.nls 0x009d0000 0x00c9efff Memory Mapped File Readable False False False
regsvcs.exe 0x00d30000 0x00d3dfff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000000d40000 0x00d40000 0x0193ffff Pagefile Backed Memory Readable True False False
private_0x0000000001ac0000 0x01ac0000 0x01bbffff Private Memory Readable, Writable True False False
comctl32.dll 0x72220000 0x722a3fff Memory Mapped File Readable, Writable, Executable False False False
pstorec.dll 0x72430000 0x7243cfff Memory Mapped File Readable, Writable, Executable False False False
atl.dll 0x73b60000 0x73b73fff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x75770000 0x7578afff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x758b0000 0x758bbfff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x75910000 0x75a2cfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75a30000 0x75a79fff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x75b40000 0x75c13fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x75d20000 0x75dcbfff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x76000000 0x7609ffff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x760a0000 0x7616bfff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x76170000 0x762cbfff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x76360000 0x76400fff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x76460000 0x764adfff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x764b0000 0x76578fff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x76580000 0x76589fff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x76590000 0x765e6fff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x76660000 0x7667efff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x76720000 0x767bcfff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x767c0000 0x77409fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x776f0000 0x7782bfff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x77840000 0x77858fff Memory Mapped File Readable, Writable, Executable False False False
comdlg32.dll 0x77860000 0x778dafff Memory Mapped File Readable, Writable, Executable False False False
apisetschema.dll 0x77930000 0x77930fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007f6f0000 0x7f6f0000 0x7f7effff Pagefile Backed Memory Readable True False False
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory Readable True False False
private_0x000000007ffd9000 0x7ffd9000 0x7ffd9fff Private Memory Readable, Writable True False False
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory Readable, Writable True False False
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory Readable, Writable True False False
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Modify Memory #11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0x530 address = 0x400000, size = 512 True 1
Fn
Data
Modify Memory #11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0x530 address = 0x401000, size = 44032 True 1
Fn
Data
Modify Memory #11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0x530 address = 0x41c000, size = 3584 True 1
Fn
Data
Modify Memory #11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0x530 address = 0x41d000, size = 4096 True 1
Fn
Data
Modify Memory #11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0x530 address = 0x7ffd9008, size = 4 True 1
Fn
Data
Modify Control Flow #11: c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe 0x530 os_tid = 0x45c, address = 0x77737098 True 1
Fn
Created Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\eebsym5\appdata\local\temp\gsabfkrjcfngatbtcigqhckmyel 0.46 KB (469 bytes) MD5: b2912991f1be1bdf15ea7028328cc3bf
SHA1: a18027ccd9e804696cac7dc581c58ce59b77e3c5
SHA256: 1035b4c326e3ee76f23a9532c2de82ba28071fb55ebfa27f99f48bb08f7c8114
False
Host Behavior
File (32)
+
Operation Filename Additional Information Success Count Logfile
Create C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{553187ED-CFB2-4763-8DAE-48D3609A76AC}.oeaccount desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{91E541D8-6C9E-48C0-AB69-0A7168AA62DE}.oeaccount desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{DD8DA3D5-48F0-4F18-846C-50E4200467F0}.oeaccount desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs_lng.ini type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Mozilla\Profiles type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Roaming\Thunderbird\Profiles type = file_attributes False 1
Fn
Get Info C:\Program Files\Mozilla Thunderbird type = file_attributes False 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{553187ED-CFB2-4763-8DAE-48D3609A76AC}.oeaccount type = size True 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{91E541D8-6C9E-48C0-AB69-0A7168AA62DE}.oeaccount type = size True 1
Fn
Get Info C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{DD8DA3D5-48F0-4F18-846C-50E4200467F0}.oeaccount type = size True 1
Fn
Read C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{553187ED-CFB2-4763-8DAE-48D3609A76AC}.oeaccount size = 1734, size_out = 1734 True 1
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{91E541D8-6C9E-48C0-AB69-0A7168AA62DE}.oeaccount size = 1506, size_out = 1506 True 1
Fn
Data
Read C:\Users\EEBsYm5\AppData\Local\Microsoft\Windows Mail\account{DD8DA3D5-48F0-4F18-846C-50E4200467F0}.oeaccount size = 670, size_out = 670 True 1
Fn
Data
Write C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel size = 50 True 2
Fn
Data
Write C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel size = 2 True 3
Fn
Data
Write C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel size = 30 True 1
Fn
Data
Write C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel size = 52 True 1
Fn
Data
Write C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel size = 35 True 1
Fn
Data
Write C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel size = 27 True 2
Fn
Data
Write C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel size = 22 True 4
Fn
Data
Write C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel size = 24 True 1
Fn
Data
Write C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel size = 26 True 1
Fn
Data
Write C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel size = 29 True 1
Fn
Data
Write C:\Users\EEBsYm5\AppData\Local\Temp\gsabfkrjcfngatbtcigqhckmyel size = 25 True 1
Fn
Data
Registry (124)
+
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Software\Qualcomm\Eudora\CommandLine\current False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts False 1
Fn
Open Key HKEY_CURRENT_USER\Identities True 1
Fn
Open Key HKEY_CURRENT_USER\Identities\{74A13782-B361-4204-9DAA-0A3D49DA4337} True 1
Fn
Open Key HKEY_CURRENT_USER\Identities\{74A13782-B361-4204-9DAA-0A3D49DA4337}\Software\Microsoft\Internet Account Manager\Accounts False 1
Fn
Open Key HKEY_CURRENT_USER\Identities\{74A13782-B361-4204-9DAA-0A3D49DA4337}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046 True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\24f93cf8ea9a9546b93f8dc78abb6a97 True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604 True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3c51f4951df2d34baef1a05b725728d2 True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\42405d6c3502e64caa2aeda354771336 True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5e8673e5f416694397a90d6dc37f5694 True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\600082486368c34683de3c06ff753b3b True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\6c393c97bf8f52408197f7e63b61e548 True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046 True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9fd587aab699e24cb035dd8129bd6b5b True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\d9417b97bf6b594d89a41cdbed740112 True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761 True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e3233d298149174193c9c78f955de155 True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e50f0eb5db19ee44ba2717941e28e885 True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E} True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles False 1
Fn
Open Key HKEY_CURRENT_USER\Software\IncrediMail\Identities False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Group Mail False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\MessengerService False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Yahoo\Pager False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail False 1
Fn
Read Value HKEY_CURRENT_USER\Identities\{74A13782-B361-4204-9DAA-0A3D49DA4337} value_name = Username, data = Main Identity, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = POP3 User, data = 24, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = IMAP User, data = 24, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = HTTP User, data = 24, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = SMTP User, data = 24, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = POP3 User, data = 24, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = IMAP User, data = 24, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = HTTP User, data = 24, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = SMTP User, data = 24, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = POP3 User, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = POP3 Server, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = Display Name, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = Email, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = SMTP Server, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = SMTP Port, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = POP3 Port, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = POP3 Use SPA, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = POP3 Password, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = IMAP User, data = 100, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = HTTP User, data = 100, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = SMTP User, data = 100, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 value_name = POP3 User, data = 100, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 value_name = IMAP User, data = 100, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 value_name = HTTP User, data = 100, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 value_name = SMTP User, data = 100, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary value_name = POP3 User, data = 100, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary value_name = IMAP User, data = 100, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary value_name = HTTP User, data = 100, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary value_name = SMTP User, data = 100, type = REG_NONE False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Identities True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Identities False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046 False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\24f93cf8ea9a9546b93f8dc78abb6a97 False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604 False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3c51f4951df2d34baef1a05b725728d2 False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\42405d6c3502e64caa2aeda354771336 False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\5e8673e5f416694397a90d6dc37f5694 False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\600082486368c34683de3c06ff753b3b False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\6c393c97bf8f52408197f7e63b61e548 False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046 False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9fd587aab699e24cb035dd8129bd6b5b False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\d9417b97bf6b594d89a41cdbed740112 False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761 False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e3233d298149174193c9c78f955de155 False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\e50f0eb5db19ee44ba2717941e28e885 False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E} True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E} False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles False 1
Fn
Module (264)
+
Operation Module Additional Information Success Count Logfile
Load comctl32.dll base_address = 0x72220000 True 1
Fn
Load shell32.dll base_address = 0x767c0000 True 1
Fn
Load pstorec.dll base_address = 0x72430000 True 1
Fn
Load crypt32.dll base_address = 0x75910000 True 2
Fn
Load advapi32.dll base_address = 0x76000000 True 3
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x75b40000 True 2
Fn
Get Handle c:\windows\system32\msvcrt.dll base_address = 0x75d20000 True 1
Fn
Get Handle c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll base_address = 0x72220000 True 1
Fn
Get Handle c:\windows\system32\rpcrt4.dll base_address = 0x76360000 True 1
Fn
Get Handle c:\windows\system32\user32.dll base_address = 0x764b0000 True 1
Fn
Get Handle c:\windows\system32\gdi32.dll base_address = 0x76460000 True 1
Fn
Get Handle c:\windows\system32\comdlg32.dll base_address = 0x77860000 True 1
Fn
Get Handle c:\windows\system32\advapi32.dll base_address = 0x76000000 True 1
Fn
Get Handle c:\windows\system32\shell32.dll base_address = 0x767c0000 True 1
Fn
Get Handle c:\windows\system32\ole32.dll base_address = 0x76170000 True 1
Fn
Get Handle private_0x0000000000400000 base_address = 0x400000 True 2
Fn
Get Filename process_name = c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, size = 260 True 2
Fn
Get Address c:\windows\system32\kernel32.dll function = VirtualProtect, address_out = 0x75b82341 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = memmove, address_out = 0x75d29e5a True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = wcschr, address_out = 0x75d2aa61 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = wcslen, address_out = 0x75d3d335 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = wcsncmp, address_out = 0x75d2b05e True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _itoa, address_out = 0x75d44218 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _strlwr, address_out = 0x75d3ca0b True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = qsort, address_out = 0x75d2d3e6 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strncmp, address_out = 0x75d2b443 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _snprintf, address_out = 0x75d4fa7c True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _mbsrchr, address_out = 0x75d38e5b True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _mbsnbicmp, address_out = 0x75d83480 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = __dllonexit, address_out = 0x75d2f509 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _onexit, address_out = 0x75d3112d True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _c_exit, address_out = 0x75d8b2db True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _exit, address_out = 0x75d8b2c0 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _XcptFilter, address_out = 0x75d4dc75 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _cexit, address_out = 0x75d337d4 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _strnicmp, address_out = 0x75d30578 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _acmdln, address_out = 0x75dc04d8 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = __getmainargs, address_out = 0x75d32bc0 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _initterm, address_out = 0x75d2c151 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _memicmp, address_out = 0x75d306c8 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = malloc, address_out = 0x75d29cee True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strrchr, address_out = 0x75d2dbae True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _stricmp, address_out = 0x75d2db38 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = free, address_out = 0x75d29894 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = modf, address_out = 0x75d37551 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = memcmp, address_out = 0x75d37975 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strtoul, address_out = 0x75d3012e True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = ??3@YAXPAX@Z, address_out = 0x75d2b0b9 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = ??2@YAPAXI@Z, address_out = 0x75d2b0c9 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = memcpy, address_out = 0x75d29910 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = sprintf, address_out = 0x75d3d354 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _mbsicmp, address_out = 0x75d39238 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = atoi, address_out = 0x75d2dbe0 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _strcmpi, address_out = 0x75d2db38 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strlen, address_out = 0x75d343d3 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strcmp, address_out = 0x75d38b11 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = exit, address_out = 0x75d336aa True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _adjust_fdiv, address_out = 0x75dc32ec True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = wcsstr, address_out = 0x75d2bf71 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = log, address_out = 0x75d4de50 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _mbscmp, address_out = 0x75d483c0 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strchr, address_out = 0x75d2dbeb True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _purecall, address_out = 0x75d86ea9 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strncat, address_out = 0x75d50909 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = abs, address_out = 0x75d4eb1e True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strcat, address_out = 0x75d38d75 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _ultoa, address_out = 0x75d71822 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = strcpy, address_out = 0x75d38d6e True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = memset, address_out = 0x75d29790 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = __p__commode, address_out = 0x75d327c3 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = __p__fmode, address_out = 0x75d327ce True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = __set_app_type, address_out = 0x75d32804 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _controlfp, address_out = 0x75d2e1e1 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = _except_handler3, address_out = 0x75d4d770 True 1
Fn
Get Address c:\windows\system32\msvcrt.dll function = __setusermatherr, address_out = 0x75db77ad True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = CreateToolbarEx, address_out = 0x7224a4d5 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = ImageList_Create, address_out = 0x7222908c True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = ImageList_AddMasked, address_out = 0x72228b75 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = ImageList_SetImageCount, address_out = 0x72286e17 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = 17, address_out = 0x72221739 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = ImageList_ReplaceIcon, address_out = 0x72286ea3 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = 6, address_out = 0x7224a14c True 1
Fn
Get Address c:\windows\system32\rpcrt4.dll function = UuidFromStringA, address_out = 0x76367348 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentDirectoryA, address_out = 0x75b7733c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleHandleA, address_out = 0x75b8cf41 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetCurrentDirectoryA, address_out = 0x75b8903d True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentProcess, address_out = 0x75b8cdcf True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ExitProcess, address_out = 0x75b9214f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetCurrentProcessId, address_out = 0x75b8cac4 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ReadProcessMemory, address_out = 0x75b7c1ce True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = OpenProcess, address_out = 0x75b859d7 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetStdHandle, address_out = 0x75b91e46 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetPrivateProfileIntA, address_out = 0x75b7dc43 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = EnumResourceNamesA, address_out = 0x75ba5a34 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WritePrivateProfileStringA, address_out = 0x75b9d763 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetComputerNameA, address_out = 0x75b76ba9 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileSize, address_out = 0x75b80273 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CreateFileA, address_out = 0x75b8cee8 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GlobalUnlock, address_out = 0x75b89d50 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GlobalLock, address_out = 0x75b89e05 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTempPathA, address_out = 0x75ba6a65 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GlobalAlloc, address_out = 0x75b89ce1 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CloseHandle, address_out = 0x75b8ca7c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindResourceA, address_out = 0x75b8a05b True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadResource, address_out = 0x75b8984d True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = EnumResourceTypesA, address_out = 0x75bccb42 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SizeofResource, address_out = 0x75b83e7f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LockResource, address_out = 0x75b7fd29 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = DeleteFileA, address_out = 0x75b847cb True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetStartupInfoA, address_out = 0x75b41e10 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetPrivateProfileStringA, address_out = 0x75b7d8d7 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = MultiByteToWideChar, address_out = 0x75b9452b True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WideCharToMultiByte, address_out = 0x75b9450e True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ExpandEnvironmentStringsA, address_out = 0x75b78a5b True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LocalFree, address_out = 0x75b8ca64 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = WriteFile, address_out = 0x75b91400 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetPrivateProfileSectionA, address_out = 0x75bc78ad True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FreeLibrary, address_out = 0x75b8d9d0 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetProcAddress, address_out = 0x75b933d3 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadLibraryA, address_out = 0x75b9395c True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetModuleFileNameA, address_out = 0x75b933f6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindFirstFileA, address_out = 0x75b92d89 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindNextFileA, address_out = 0x75b8a187 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetFilePointer, address_out = 0x75b8db36 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetLastError, address_out = 0x75b8bf00 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = LoadLibraryExA, address_out = 0x75b847fa True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetFileAttributesA, address_out = 0x75b91de6 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetTempFileNameA, address_out = 0x75ba695f True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FindClose, address_out = 0x75b90e62 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = FormatMessageA, address_out = 0x75ba8868 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetWindowsDirectoryA, address_out = 0x75ba5d02 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = ReadFile, address_out = 0x75b896fb True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = GetVersionExA, address_out = 0x75b93861 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetClassNameA, address_out = 0x764e2445 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetMessageA, address_out = 0x764c1899 True 1
Fn
Get Address c:\windows\system32\user32.dll function = TranslateMessage, address_out = 0x764c64c7 True 1
Fn
Get Address c:\windows\system32\user32.dll function = RegisterWindowMessageA, address_out = 0x764bc091 True 1
Fn
Get Address c:\windows\system32\user32.dll function = PostQuitMessage, address_out = 0x764bb308 True 1
Fn
Get Address c:\windows\system32\user32.dll function = TrackPopupMenu, address_out = 0x764d2228 True 1
Fn
Get Address c:\windows\system32\user32.dll function = PostMessageA, address_out = 0x764bb446 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetFocus, address_out = 0x764c3a34 True 1
Fn
Get Address c:\windows\system32\user32.dll function = DispatchMessageA, address_out = 0x764c2e32 True 1
Fn
Get Address c:\windows\system32\user32.dll function = DrawTextExA, address_out = 0x764dae60 True 1
Fn
Get Address c:\windows\system32\user32.dll function = IsDialogMessageA, address_out = 0x764d2019 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetWindowTextA, address_out = 0x764b6eed True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetMenuItemInfoA, address_out = 0x764b856a True 1
Fn
Get Address c:\windows\system32\user32.dll function = EnumChildWindows, address_out = 0x764c2948 True 1
Fn
Get Address c:\windows\system32\user32.dll function = DestroyMenu, address_out = 0x764b87f7 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetDlgCtrlID, address_out = 0x764bb4e8 True 1
Fn
Get Address c:\windows\system32\user32.dll function = DialogBoxParamA, address_out = 0x764fcf42 True 1
Fn
Get Address c:\windows\system32\user32.dll function = ShowWindow, address_out = 0x764bf2a9 True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetCursor, address_out = 0x764c3075 True 1
Fn
Get Address c:\windows\system32\user32.dll function = LoadCursorA, address_out = 0x764b8328 True 1
Fn
Get Address c:\windows\system32\user32.dll function = ChildWindowFromPoint, address_out = 0x764fb6aa True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetSysColorBrush, address_out = 0x764bf1ed True 1
Fn
Get Address c:\windows\system32\user32.dll function = EndDialog, address_out = 0x764e3ba3 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetDlgItem, address_out = 0x764e42bb True 1
Fn
Get Address c:\windows\system32\user32.dll function = CreateWindowExA, address_out = 0x764bbf40 True 1
Fn
Get Address c:\windows\system32\user32.dll function = InvalidateRect, address_out = 0x764c566d True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetDlgItemInt, address_out = 0x764dec2e True 1
Fn
Get Address c:\windows\system32\user32.dll function = BeginPaint, address_out = 0x764c5d14 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetClientRect, address_out = 0x764c54dd True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetWindow, address_out = 0x764c2780 True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetDlgItemTextA, address_out = 0x764d707a True 1
Fn
Get Address c:\windows\system32\user32.dll function = DrawFrameControl, address_out = 0x764db4f9 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetDlgItemTextA, address_out = 0x76513d14 True 1
Fn
Get Address c:\windows\system32\user32.dll function = SendDlgItemMessageA, address_out = 0x764d7241 True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetWindowTextA, address_out = 0x764e0c5b True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetWindowRect, address_out = 0x764c558c True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetSystemMetrics, address_out = 0x764c67cf True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetDlgItemInt, address_out = 0x764ded56 True 1
Fn
Get Address c:\windows\system32\user32.dll function = DeferWindowPos, address_out = 0x764ba6c8 True 1
Fn
Get Address c:\windows\system32\user32.dll function = EndPaint, address_out = 0x764c5d42 True 1
Fn
Get Address c:\windows\system32\user32.dll function = DefWindowProcA, address_out = 0x764bbb1c True 1
Fn
Get Address c:\windows\system32\user32.dll function = TranslateAcceleratorA, address_out = 0x764e133f True 1
Fn
Get Address c:\windows\system32\user32.dll function = MessageBoxA, address_out = 0x7650ea11 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetWindowPlacement, address_out = 0x764e69de True 1
Fn
Get Address c:\windows\system32\user32.dll function = RegisterClassA, address_out = 0x764bbc6a True 1
Fn
Get Address c:\windows\system32\user32.dll function = UpdateWindow, address_out = 0x764bffa8 True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetMenu, address_out = 0x764e6b0e True 1
Fn
Get Address c:\windows\system32\user32.dll function = LoadAcceleratorsA, address_out = 0x764dae02 True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetWindowPos, address_out = 0x764c1bc4 True 1
Fn
Get Address c:\windows\system32\user32.dll function = SendMessageA, address_out = 0x764bad60 True 1
Fn
Get Address c:\windows\system32\user32.dll function = LoadIconA, address_out = 0x764b64ad True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetWindowLongA, address_out = 0x764ba95e True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetWindowLongA, address_out = 0x764b8ba3 True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetFocus, address_out = 0x764babad True 1
Fn
Get Address c:\windows\system32\user32.dll function = BeginDeferWindowPos, address_out = 0x764ba6a6 True 1
Fn
Get Address c:\windows\system32\user32.dll function = EndDeferWindowPos, address_out = 0x764ba67a True 1
Fn
Get Address c:\windows\system32\user32.dll function = CheckMenuItem, address_out = 0x764dee7c True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetMenuItemCount, address_out = 0x764bae39 True 1
Fn
Get Address c:\windows\system32\user32.dll function = SetClipboardData, address_out = 0x764d2962 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetMenuStringA, address_out = 0x76513a16 True 1
Fn
Get Address c:\windows\system32\user32.dll function = EnableWindow, address_out = 0x764b8d02 True 1
Fn
Get Address c:\windows\system32\user32.dll function = DestroyWindow, address_out = 0x764bb2f4 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetCursorPos, address_out = 0x764ba4b3 True 1
Fn
Get Address c:\windows\system32\user32.dll function = LoadImageA, address_out = 0x764d7779 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetSysColor, address_out = 0x764cdb7a True 1
Fn
Get Address c:\windows\system32\user32.dll function = MapWindowPoints, address_out = 0x764c5caa True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetMenu, address_out = 0x764e6b68 True 1
Fn
Get Address c:\windows\system32\user32.dll function = CloseClipboard, address_out = 0x764e446c True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetParent, address_out = 0x764c6029 True 1
Fn
Get Address c:\windows\system32\user32.dll function = OpenClipboard, address_out = 0x764e447e True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetDC, address_out = 0x764c544c True 1
Fn
Get Address c:\windows\system32\user32.dll function = EmptyClipboard, address_out = 0x764d290c True 1
Fn
Get Address c:\windows\system32\user32.dll function = MoveWindow, address_out = 0x764b8d29 True 1
Fn
Get Address c:\windows\system32\user32.dll function = GetSubMenu, address_out = 0x764b9c19 True 1
Fn
Get Address c:\windows\system32\user32.dll function = EnableMenuItem, address_out = 0x764e43bc True 1
Fn
Get Address c:\windows\system32\user32.dll function = ReleaseDC, address_out = 0x764c5421 True 1
Fn
Get Address c:\windows\system32\user32.dll function = LoadMenuA, address_out = 0x764cf92c True 1
Fn
Get Address c:\windows\system32\user32.dll function = LoadStringA, address_out = 0x764b66a7 True 1
Fn
Get Address c:\windows\system32\user32.dll function = CreateDialogParamA, address_out = 0x764d1f42 True 1
Fn
Get Address c:\windows\system32\user32.dll function = ModifyMenuA, address_out = 0x76513ae0 True 1
Fn
Get Address c:\windows\system32\gdi32.dll function = GetDeviceCaps, address_out = 0x76466f7f True 1
Fn
Get Address c:\windows\system32\gdi32.dll function = SetTextColor, address_out = 0x76466906 True 1
Fn
Get Address c:\windows\system32\gdi32.dll function = CreateFontIndirectA, address_out = 0x7646d22d True 1
Fn
Get Address c:\windows\system32\gdi32.dll function = SetBkMode, address_out = 0x764669b1 True 1
Fn
Get Address c:\windows\system32\gdi32.dll function = DeleteObject, address_out = 0x76465f14 True 1
Fn
Get Address c:\windows\system32\gdi32.dll function = GetTextExtentPoint32A, address_out = 0x764707b0 True 1
Fn
Get Address c:\windows\system32\gdi32.dll function = SetBkColor, address_out = 0x76466a3c True 1
Fn
Get Address c:\windows\system32\gdi32.dll function = SelectObject, address_out = 0x76466640 True 1
Fn
Get Address c:\windows\system32\comdlg32.dll function = GetOpenFileNameA, address_out = 0x7789a2a9 True 1
Fn
Get Address c:\windows\system32\comdlg32.dll function = GetSaveFileNameA, address_out = 0x7789a353 True 1
Fn
Get Address c:\windows\system32\comdlg32.dll function = FindTextA, address_out = 0x7789acd6 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegEnumKeyA, address_out = 0x7602a299 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegEnumKeyExA, address_out = 0x76011481 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegQueryValueExA, address_out = 0x760148ef True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegOpenKeyExA, address_out = 0x76014907 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegDeleteKeyA, address_out = 0x7602a8b7 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = GetUserNameA, address_out = 0x7602a4b4 True 1
Fn
Get Address c:\windows\system32\advapi32.dll function = RegCloseKey, address_out = 0x7601469d True 1
Fn
Get Address c:\windows\system32\shell32.dll function = SHBrowseForFolderA, address_out = 0x76a0dc6a True 1
Fn
Get Address c:\windows\system32\shell32.dll function = SHGetPathFromIDListA, address_out = 0x768e1c24 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = SHGetMalloc, address_out = 0x767e0602 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = ShellExecuteA, address_out = 0x76a07078 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoInitialize, address_out = 0x7618b636 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoTaskMemFree, address_out = 0x761c6f41 True 1
Fn
Get Address c:\windows\system32\ole32.dll function = CoUninitialize, address_out = 0x761b86d3 True 1
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = InitCommonControlsEx, address_out = 0x72226be6 True 1
Fn
Get Address c:\windows\system32\shell32.dll function = SHGetSpecialFolderPathA, address_out = 0x76a0fb26 True 1
Fn
Get Address c:\windows\system32\pstorec.dll function = PStoreCreateInstance, address_out = 0x7243526c True 1
Fn
Get Address c:\windows\system32\crypt32.dll function = CryptUnprotectData, address_out = 0x75945a7f True 2
Fn
Get Address c:\windows\system32\advapi32.dll function = CredReadA, address_out = 0x760471c1 True 3
Fn
Get Address c:\windows\system32\advapi32.dll function = CredFree, address_out = 0x7600b2ec True 3
Fn
Get Address c:\windows\system32\advapi32.dll function = CredDeleteA, address_out = 0x76047941 True 3
Fn
Get Address c:\windows\system32\advapi32.dll function = CredEnumerateA, address_out = 0x76047381 True 3
Fn
Get Address c:\windows\system32\advapi32.dll function = CredEnumerateW, address_out = 0x76047481 True 3
Fn
System (2)
+
Operation Additional Information Success Count Logfile
Get Computer Name result_out = CRH2YWU7 True 1
Fn
Get Info type = Operating System False 1
Fn
Ini (7)
+
Operation Filename Additional Information Success Count Logfile
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = ShowGridLines, default_value = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = SaveFilterIndex, default_value = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = AddExportHeaderLine, default_value = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = MarkOddEvenRows, default_value = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = WinPos False 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = Columns False 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.cfg section_name = General, key_name = Sort, default_value = 0 True 1
Fn
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefox with deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image