VMRay Analyzer Report
Monitored Processes
Process Graph
Behavior Information - Grouped by Category
Process #1: 249bebc650b7160cfeee41d08bc61dc220ecb740.malware.exe
(Host: 317, Network: 0)
+
InformationValue
ID / OS PID#1 / 0xc8c
OS Parent PID0x7fc (c:\windows\explorer.exe)
Initial Working DirectoryC:\Users\WI2yhmtI onvScY7Pe\Desktop
File Namec:\users\wi2yhmti onvscy7pe\desktop\249bebc650b7160cfeee41d08bc61dc220ecb740.malware.exe
Command Line"C:\Users\WI2yhmtI onvScY7Pe\Desktop\249bebc650b7160cfeee41d08bc61dc220ecb740.malware.exe"
MonitorStart Time: 00:00:37, Reason: Analysis Target
UnmonitorEnd Time: 00:02:42, Reason: Terminated by Timeout
Monitor Duration00:02:05
OS Thread IDs
#1
0xC90
#2
0xD08
#120
0xE84
Region
+
NameStart VAEnd VATypePermissionsMonitoredDumpYARA MatchActions
private_0x00000000000100000x000100000x0002ffffPrivate MemoryReadable, WritableTrueFalseFalse
pagefile_0x00000000000100000x000100000x0001ffffPagefile Backed MemoryReadable, WritableTrueFalseFalse
private_0x00000000000200000x000200000x00023fffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000000300000x000300000x00031fffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000000300000x000300000x0003afffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
pagefile_0x00000000000400000x000400000x00053fffPagefile Backed MemoryReadableTrueFalseFalse
private_0x00000000000600000x000600000x0009ffffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000000a00000x000a00000x0019ffffPrivate MemoryReadable, WritableTrueFalseFalse
pagefile_0x00000000001a00000x001a00000x001a3fffPagefile Backed MemoryReadableTrueFalseFalse
private_0x00000000001b00000x001b00000x001b1fffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000001c00000x001c00000x001c0fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000001d00000x001d00000x0020ffffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000001d00000x001d00000x001d0fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000001e00000x001e00000x001e0fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000001f00000x001f00000x001f0fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000002000000x002000000x00200fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000002100000x002100000x00210fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000002200000x002200000x0022ffffPrivate MemoryReadable, WritableTrueFalseFalse
locale.nls0x002300000x002edfffMemory Mapped FileReadableFalseFalseFalse
private_0x00000000002f00000x002f00000x003c7fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000003d00000x003d00000x003d0fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000003e00000x003e00000x003effffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000003f00000x003f00000x003f0fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
249bebc650b7160cfeee41d08bc61dc220ecb740.malware.exe0x004000000x005fdfffMemory Mapped FileReadable, Writable, ExecutableTrueTrueFalse
private_0x00000000006000000x006000000x00692fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000006a00000x006a00000x006a0fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000006b00000x006b00000x006b0fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000006c00000x006c00000x006c0fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000006d00000x006d00000x006d0fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000006e00000x006e00000x007dffffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000007e00000x007e00000x00adffffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x0000000000ae00000x00ae00000x00cdffffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x0000000000ce00000x00ce00000x011c1fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000011d00000x011d00000x012cffffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000011d00000x011d00000x011d0fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000011e00000x011e00000x0121ffffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000012200000x012200000x01223fffPrivate MemoryReadable, WritableTrueFalseFalse
pagefile_0x00000000012300000x012300000x01230fffPagefile Backed MemoryReadableTrueFalseFalse
private_0x00000000012d00000x012d00000x013cffffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000013d00000x013d00000x036cffffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000036d00000x036d00000x037cffffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000037d00000x037d00000x038cffffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000038d00000x038d00000x038d0fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000038e00000x038e00000x038e0fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000038f00000x038f00000x038f0fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000039000000x039000000x03900fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000039100000x039100000x03910fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000039200000x039200000x03920fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000039300000x039300000x03930fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
XuMIAsww0x039400000x03940fffMemory Mapped FileReadable, WritableTrueTrueFalse
YOUMMIEo0x039500000x03950fffMemory Mapped FileReadable, WritableTrueTrueFalse
private_0x00000000039600000x039600000x03960fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000039700000x039700000x03970fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000039800000x039800000x03980fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000039900000x039900000x03990fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000039a00000x039a00000x039a0fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000039b00000x039b00000x039b0fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000039c00000x039c00000x039c0fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000039d00000x039d00000x039d0fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000039e00000x039e00000x039e0fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000039f00000x039f00000x039f0fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x0000000003a000000x03a000000x03afffffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x0000000003b000000x03b000000x03b00fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x0000000003b100000x03b100000x03e0ffffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
pagefile_0x0000000003e100000x03e100000x03f97fffPagefile Backed MemoryReadableTrueFalseFalse
pagefile_0x0000000003fa00000x03fa00000x04120fffPagefile Backed MemoryReadableTrueFalseFalse
pagefile_0x00000000041300000x041300000x0552ffffPagefile Backed MemoryReadableTrueFalseFalse
private_0x00000000055300000x055300000x05530fffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000055400000x055400000x05540fffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000055500000x055500000x05550fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000055600000x055600000x05560fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000055700000x055700000x05570fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000055800000x055800000x05580fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000055900000x055900000x05590fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000055a00000x055a00000x055a0fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000055b00000x055b00000x055b0fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000055c00000x055c00000x057bffffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000057c00000x057c00000x057d3fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000057e00000x057e00000x057e6fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000057f00000x057f00000x057fffffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000058000000x058000000x0580ffffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000058100000x058100000x0581ffffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000058200000x058200000x0582ffffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000058300000x058300000x0583ffffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000058400000x058400000x0584ffffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000058500000x058500000x0585ffffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000058600000x058600000x05a5ffffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x0000000005a600000x05a600000x05a60fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x0000000005a700000x05a700000x05a70fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x0000000005a800000x05a800000x05a80fffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x0000000005a900000x05a900000x05b8ffffPrivate MemoryReadable, WritableTrueFalseFalse
wow64.dll0x53cc00000x53d0efffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
wow64cpu.dll0x53d100000x53d17fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
wow64win.dll0x53d200000x53d92fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
vsstrace.dll0x74bf00000x74c00fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
vssapi.dll0x74c100000x74d2afffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
spp.dll0x74d300000x74d69fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
srclient.dll0x74d700000x74d81fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
ntmarta.dll0x74d900000x74db7fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
apphelp.dll0x74dc00000x74e50fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
bcryptprimitives.dll0x74e600000x74eb8fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
cryptbase.dll0x74ec00000x74ec9fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
sspicli.dll0x74ed00000x74eedfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
msvcrt.dll0x74ef00000x74fadfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
advapi32.dll0x74fb00000x7502afffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
powrprof.dll0x752800000x752c3fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
KernelBase.dll0x752e00000x75455fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
imm32.dll0x754600000x7548afffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
combase.dll0x754900000x75649fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
kernel32.dll0x756500000x7573ffffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
gdi32.dll0x757900000x758dcfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
SHCore.dll0x75aa00000x75b2cfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
ws2_32.dll0x75b900000x75bebfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
profapi.dll0x75d700000x75d7efffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
msctf.dll0x75d900000x75eaffffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
sechost.dll0x75eb00000x75ef2fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
user32.dll0x75f100000x7604ffffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
nsi.dll0x760500000x76056fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
kernel.appcore.dll0x762900000x7629bfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
shlwapi.dll0x762a00000x762e3fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
clbcatq.dll0x762f00000x76371fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
windows.storage.dll0x763800000x7685cfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
rpcrt4.dll0x768600000x7690bfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
shell32.dll0x769100000x77ccefffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
ole32.dll0x77cd00000x77db9fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
ntdll.dll0x77dc00000x77f38fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
pagefile_0x000000007feb00000x7feb00000x7ffaffffPagefile Backed MemoryReadableTrueFalseFalse
pagefile_0x000000007ffb00000x7ffb00000x7ffd2fffPagefile Backed MemoryReadableTrueFalseFalse
private_0x000000007ffd80000x7ffd80000x7ffdafffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x000000007ffdb0000x7ffdb0000x7ffddfffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x000000007ffde0000x7ffde0000x7ffdefffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x000000007ffdf0000x7ffdf0000x7ffdffffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x000000007ffe00000x7ffe00000x7ffeffffPrivate MemoryReadableTrueFalseFalse
private_0x000000007fff00000x7fff00000x7ffb1ddcffffPrivate MemoryReadableTrueFalseFalse
ntdll.dll0x7ffb1ddd00000x7ffb1df91fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
private_0x00007ffb1df920000x7ffb1df920000x7ffffffeffffPrivate MemoryReadableTrueFalseFalse
Created Files
+
FilenameFile SizeHash ValuesYARA MatchActions
c:\users\wi2yhmti onvscy7pe\ayooemee\xumiasww0.00 KB (0 bytes)MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\programdata\vmymsigm\yoummieo0.00 KB (0 bytes)MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\wi2yhmti onvscy7pe\ayooemee\xumiasww.exe2.00 MB (2100224 bytes)MD5: e8b81e4a627a9f9a772b6d42d9bb3a3c
SHA1: 08cdff2e0e82651cde54a58eca4747aadc940a53
SHA256: 0fbd214902a4b12b22dd57fc04449cf9642a220d2cc5c0cd274013131446c899
False
c:\programdata\vmymsigm\yoummieo.exe1.95 MB (2042880 bytes)MD5: 25081af7955ff8b96260f64cc3c76bcb
SHA1: e02b4eab3fe752312aadd58de8a2e3558aebe12d
SHA256: c7c619989c3733e37fa0b40b0e606cd0f6b3711378cbffd4908c4364fbf1e18c
False
c:\programdata\baieaacu\xuaecwog.exe1.98 MB (2079744 bytes)MD5: 958a7f26c423db4ed7c1caafc0dda8e9
SHA1: 0af04b61a579c82fe3a4b06a62fc4d3cd0e2c571
SHA256: b9796040e89f3877c538a338d75bab2beeec94a720571f3d5df08e019cff3380
False
c:\users\wi2yhm~1\appdata\local\temp\dwaaskwo.bat0.00 KB (4 bytes)MD5: f6f0aa95187fb1682cfbee02e3348d4f
SHA1: 46c7c7331f30edf31b3308f077cb583ec37a68be
SHA256: b9c68ec4d2854ae3bc968140b7c9ceefb21f5dd73365d16590741bce796ec459
False
c:\users\wi2yhmti onvscy7pe\desktop\249bebc650b7160cfeee41d08bc61dc220ecb740.malware6.80 KB (6968 bytes)MD5: 672a1f1de82c3076688c129d2c89d0e2
SHA1: 02e8f06ad6888c9fb28059f5eac065b7bbfdd365
SHA256: 1d8a8607dd5b6aa413649cd3dc7187497e6a7fcb616e56c980fcfb682ee8c363
False
Host Behavior
File (265)
+
OperationFilenameAdditional InformationSuccessCountLogfile
CREATEc:\users\wi2yhmti onvscy7pe\desktop\jflcfzpjeknojadesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\edyqoppdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\vijedesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\skqngilsjdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\rorlndesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\ikbhdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\evywvrrsdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\rtobnpdljgwwngddesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\wqrqtgkdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\agdbdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\igvsjvpdqbzchuqdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\kgefqqjfdydawaydesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\vvjmrgfdiuwazebdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\lhmkdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\exfdadesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\dxfpcywdygfesedesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\bolwkhjyxgqdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\gfysbdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\ayooemee\xumiaswwdesired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\uhnmdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\ayooemee\xumiaswwdesired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMALTrue1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\rpevkxqtrvzngtdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\qmufpudesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\sukproakdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\gziysukvxdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\qraqdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\bqnmdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\gzwkvrzheieagddesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\vyqoondesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\okjjjhibzydesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\programdata\vmymsigm\yoummieodesired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\jadccbxzcopysdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\programdata\vmymsigm\yoummieodesired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMALTrue1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\vabnhssjqidesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\sfxsdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\dvrkttxonuvxxodesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\zbchwzxtudesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\fgvyusstvvsmettdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\eygojdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\fyqyrfypwdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\kdfsxqpdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\ifdaysdzmdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\bwxtdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\mbpidesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\qfpfeevdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\sjnrbdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\zfcdvoztqqsqssndesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\adrlcrwowsouokdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\sjfffxwsvdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\eutwzrkvmoodesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\fazehwvdxqqdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\pllmdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\ajazmxxdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\tynjyraljhdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\nocgllgflajyndesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\udlgdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\psejmdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\gsxqdtmlmrrdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\deaczjoevudesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\nsjgfcryrfzrdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\wsjaxpyhqdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\ijzodesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\rzwdstazovadesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\tcqrwftqbypivumdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\vcbnbqdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\rxnvrdscfofjrdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\yawlipagrmdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\ucsfzlbaezndesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\zcgwzmuzzmzipdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\ciotaldesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\dodoqeqrbwahtjqdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\swudqddesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\jrtgquwkyvanvbidesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\hhqjokypwdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\bnvwlppbnnuadesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\ayooemee\xumiasww.exedesired_access = GENERIC_WRITE, GENERIC_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMALTrue1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\cfkdoodesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\iviodesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\okroakdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\woghlxmtdopvadesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\okooeoueteddesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\eqdzfvvfdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\dyfwoqbhdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\ipplbhxcucdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\pkkpenkysedesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\ucpgdjptbnwdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\ckuhxlydmvbcgtdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\lzzjxhckudesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\rocpuxhdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\pjrrdbkpxxpdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\ddahqzxmaggrzgkdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\zgspcrdzmbdllldesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\tqfrveveidesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\fcjudzpydesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\efrhdichidesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\okpzlttkzghsbdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\qsltlfjcdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\dvdlznyxdqejopdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\wnnumdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\faqybxahlccdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\gqazpanrzpdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\gnzdojblzdltdvdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\bdvmlsjpvluscdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\shxkoddesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\eqnahklzvzrkradesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\programdata\vmymsigm\yoummieo.exedesired_access = GENERIC_WRITE, GENERIC_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMALTrue1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\rdotrvcpthdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\olxnxqdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\awwilildhkdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\dlpdjbpebpqqrvhdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\nyfhadesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\ibkfdojfdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\mocdpjijdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\fziqkdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\uqktfecidxwddesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\svgratdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\jtylyxjwqnhbdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\sfqevzfusjwkcqdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\ckdfgwhydesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\nctequiorzziwdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\aibxxndesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\programdata\baieaacu\xuaecwog.exedesired_access = GENERIC_WRITE, GENERIC_READ, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMALTrue1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\wmsxkoocwjpdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\gdrfmasucdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\kdynuecdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\hzcmrmznnnvhvdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\kmzszjjabixrvidesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\mukdnyiwkudesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\xggwdbdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\zzgedesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\vkiqloxayyohcdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\dddpavcirmvvqqkdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\auiwcdddesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\sudgniklyefzdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\vvxuzzhdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\pkqljphzdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\quxgkeotadesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\pagooqzsdxipqlpdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\cptlucmcnkdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\mpiodesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\syndenpsdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\iiroxzogklxdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\mdmogmdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\rllubdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\ugpfdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\fzoyzhgobdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\ddjphthbrqussdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\ubupjnawudesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\jujdffdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\aavbijipezbvdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\qeqnpyjjjrdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\qspglilvvmddesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\vzsussoabfdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\uwogdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\spuonpilxjekirodesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\tzvwiydesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\ogrzajodesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\puovwjldesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhm~1\appdata\local\temp\dwaaskwo.batdesired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMALTrue1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\ftpjwfwdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\249bebc650b7160cfeee41d08bc61dc220ecb740.malwaredesired_access = GENERIC_WRITE, GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = CREATE_ALWAYS, file_attributes = FILE_ATTRIBUTE_NORMALTrue1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\twdznhhtdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\dlksrdesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATEc:\users\wi2yhmti onvscy7pe\desktop\ozbllmpyudesired_access = GENERIC_READ, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, create_disposition = OPEN_EXISTING, file_attributes = FILE_ATTRIBUTE_NORMALFalse1
Fn
CREATE_DIRc:\users\wi2yhmti onvscy7pe\ayooemeeTrue1
Fn
CREATE_DIRc:\users\wi2yhmti onvscy7pe\ayooemeeFalse2
Fn
CREATE_DIRc:\programdata\vmymsigmTrue1
Fn
CREATE_DIRc:\programdata\vmymsigmFalse2
Fn
CREATE_DIRc:\programdata\baieaacuTrue1
Fn
CREATE_DIRc:\programdata\baieaacuFalse1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\vijesize = 9False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\ikbhsize = 6False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\evywvrrssize = 29False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\rtobnpdljgwwngdsize = 14False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\igvsjvpdqbzchuqsize = 13False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\kgefqqjfdydawaysize = 15False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\lhmksize = 19False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\dxfpcywdygfesesize = 8False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\bolwkhjyxgqsize = 18False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\gfysbsize = 4False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\uhnmsize = 7False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\qmufpusize = 15False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\gziysukvxsize = 16False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\vyqoonsize = 27False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\okjjjhibzysize = 6False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\jadccbxzcopyssize = 18False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\fgvyusstvvsmettsize = 8False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\ifdaysdzmsize = 11False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\bwxtsize = 5False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\mbpisize = 12False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\qfpfeevsize = 30False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\sjnrbsize = 9False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\adrlcrwowsouoksize = 23False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\pllmsize = 25False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\ajazmxxsize = 30False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\tynjyraljhsize = 10False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\nocgllgflajynsize = 20False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\nsjgfcryrfzrsize = 27False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\wsjaxpyhqsize = 4False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\ijzosize = 16False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\yawlipagrmsize = 25False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\zcgwzmuzzmzipsize = 5False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\ciotalsize = 13False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\dodoqeqrbwahtjqsize = 13False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\swudqdsize = 6False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\jrtgquwkyvanvbisize = 5False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\cfkdoosize = 8False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\woghlxmtdopvasize = 27False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\okooeouetedsize = 24False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\dyfwoqbhsize = 26False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\ckuhxlydmvbcgtsize = 21False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\pjrrdbkpxxpsize = 22False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\zgspcrdzmbdlllsize = 9False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\efrhdichisize = 29False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\okpzlttkzghsbsize = 30False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\wnnumsize = 8False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\faqybxahlccsize = 31False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\gqazpanrzpsize = 13False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\gnzdojblzdltdvsize = 14False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\eqnahklzvzrkrasize = 9False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\rdotrvcpthsize = 6False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\olxnxqsize = 31False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\nyfhasize = 22False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\fziqksize = 26False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\svgratsize = 28False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\jtylyxjwqnhbsize = 11False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\sfqevzfusjwkcqsize = 30False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\aibxxnsize = 28False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\gdrfmasucsize = 8False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\hzcmrmznnnvhvsize = 13False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\vkiqloxayyohcsize = 28False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\dddpavcirmvvqqksize = 25False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\auiwcddsize = 30False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\sudgniklyefzsize = 20False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\vvxuzzhsize = 31False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\pkqljphzsize = 31False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\quxgkeotasize = 31False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\cptlucmcnksize = 17False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\mpiosize = 29False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\syndenpssize = 24False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\iiroxzogklxsize = 6False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\ugpfsize = 4False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\fzoyzhgobsize = 15False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\ubupjnawusize = 24False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\qspglilvvmdsize = 8False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\vzsussoabfsize = 8False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\uwogsize = 8False1
Fn
READc:\users\wi2yhmti onvscy7pe\desktop\ftpjwfwsize = 27False1
Fn
WRITEc:\users\wi2yhmti onvscy7pe\ayooemee\xumiasww.exesize = 1024True1
Fn
Data
WRITEc:\users\wi2yhmti onvscy7pe\ayooemee\xumiasww.exesize = 684032True1
Fn
Data
WRITEc:\users\wi2yhmti onvscy7pe\ayooemee\xumiasww.exesize = 10240True1
Fn
Data
WRITEc:\users\wi2yhmti onvscy7pe\ayooemee\xumiasww.exesize = 1404928True1
Fn
WRITEc:\programdata\vmymsigm\yoummieo.exesize = 1024True1
Fn
Data
WRITEc:\programdata\vmymsigm\yoummieo.exesize = 684032True1
Fn
Data
WRITEc:\programdata\vmymsigm\yoummieo.exesize = 10240True1
Fn
Data
WRITEc:\programdata\vmymsigm\yoummieo.exesize = 1347584True1
Fn
WRITEc:\programdata\baieaacu\xuaecwog.exesize = 1024True1
Fn
Data
WRITEc:\programdata\baieaacu\xuaecwog.exesize = 684032True1
Fn
Data
WRITEc:\programdata\baieaacu\xuaecwog.exesize = 10240True1
Fn
Data
WRITEc:\programdata\baieaacu\xuaecwog.exesize = 1384448True1
Fn
WRITEc:\users\wi2yhm~1\appdata\local\temp\dwaaskwo.batsize = 4True1
Fn
Data
WRITEc:\users\wi2yhmti onvscy7pe\desktop\249bebc650b7160cfeee41d08bc61dc220ecb740.malwaresize = 6968True1
Fn
Data
DELETEc:\users\wi2yhm~1\appdata\local\temp\dwaaskwo.batTrue1
Fn
Process (6)
+
OperationProcess NameAdditional InformationSuccessCountLogfile
CREATEC:\Users\WI2yhmtI onvScY7Pe\ayooEMEE\XuMIAsww.exeos_tid = 0xd7c, os_pid = 0xd78, show_window = SW_HIDETrue1
Fn
CREATEC:\ProgramData\VmYMsIgM\YOUMMIEo.exeos_tid = 0xdbc, os_pid = 0xdb8, show_window = SW_HIDETrue1
Fn
CREATEC:\Users\WI2YHM~1\AppData\Local\Temp\dWAAskwo.batos_tid = 0xe3c, os_pid = 0xe38, creation_flags = CREATE_NO_WINDOW, current_directory = C:\Users\WI2yhmtI onvScY7Pe\Desktop, show_window = SW_HIDETrue1
Fn
CREATEreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1show_window = SW_HIDETrue1
Fn
CREATEreg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2show_window = SW_HIDETrue1
Fn
CREATEreg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /fshow_window = SW_HIDETrue1
Fn
Module (14)
+
OperationModuleAdditional InformationSuccessCountLogfile
LOADadvapi32.dllbase_address = 0x74fb0000True2
Fn
LOADNTDLLbase_address = 0x77dc0000True1
Fn
LOADws2_32.dllbase_address = 0x75b90000True1
Fn
LOADkernel32.dllbase_address = 0x75650000True1
Fn
LOADntdll.dllbase_address = 0x77dc0000True1
Fn
LOADuser32.dllbase_address = 0x75f10000True1
Fn
LOADshell32.dllbase_address = 0x76910000True1
Fn
LOADsrclient.dllbase_address = 0x74d70000True1
Fn
CREATE_MAPPINGc:\users\wi2yhmti onvscy7pe\ayooemee\xumiaswwmodule_name = Nameless FileMapping, maximum_size = 2062, protection = PAGE_READWRITETrue1
Fn
CREATE_MAPPINGc:\programdata\vmymsigm\yoummieomodule_name = Nameless FileMapping, maximum_size = 2062, protection = PAGE_READWRITETrue1
Fn
MAPc:\users\wi2yhmti onvscy7pe\ayooemee\xumiaswwprocess_name = c:\users\wi2yhmti onvscy7pe\desktop\249bebc650b7160cfeee41d08bc61dc220ecb740.malware.exe, os_pid = 0xc8c, module_name = Nameless FileMapping, desired_access = FILE_MAP_ALL_ACCESS, file_offset = 0, address = 0x3940000True1
Fn
MAPc:\programdata\vmymsigm\yoummieoprocess_name = c:\users\wi2yhmti onvscy7pe\desktop\249bebc650b7160cfeee41d08bc61dc220ecb740.malware.exe, os_pid = 0xc8c, module_name = Nameless FileMapping, desired_access = FILE_MAP_ALL_ACCESS, file_offset = 0, address = 0x3950000True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\srclient.dllfunction = SRRemoveRestorePoint, address = 0x74d745c0True1
Fn
Service (6)
+
OperationServiceAdditional InformationSuccessCountLogfile
OPEN_MGRSERVICES_ACTIVE_DATABASEhost = Localhost, desired_access = SC_MANAGER_CONNECT, SC_MANAGER_CREATE_SERVICE, SC_MANAGER_ENUMERATE_SERVICE, SC_MANAGER_LOCK, SC_MANAGER_QUERY_LOCK_STATUS, SC_MANAGER_MODIFY_BOOT_CONFIG, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNERTrue1
Fn
CREATEcEMAEwpbfile_name = C:\ProgramData\BAIEAAcU\xUAEcwog.exe, database_name = SERVICES_ACTIVE_DATABASE, display_name = cEMAEwpb, desired_access = SERVICE_QUERY_CONFIG, SERVICE_CHANGE_CONFIG, SERVICE_QUERY_STATUS, SERVICE_ENUMERATE_DEPENDENTS, SERVICE_START, SERVICE_STOP, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, service_type = SERVICE_WIN32_OWN_PROCESS, start_type = SERVICE_AUTO_STARTTrue1
Fn
OPENcEMAEwpbdatabase_name = SERVICES_ACTIVE_DATABASE, desired_access = SERVICE_QUERY_CONFIG, SERVICE_CHANGE_CONFIG, SERVICE_QUERY_STATUS, SERVICE_ENUMERATE_DEPENDENTS, SERVICE_START, SERVICE_STOP, SERVICE_PAUSE_CONTINUE, SERVICE_INTERROGATE, SERVICE_USER_DEFINED_CONTROL, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNERFalse1
Fn
OPENcEMAEwpbdatabase_name = SERVICES_ACTIVE_DATABASE, desired_access = SERVICE_QUERY_CONFIG, SERVICE_CHANGE_CONFIG, SERVICE_QUERY_STATUS, SERVICE_ENUMERATE_DEPENDENTS, SERVICE_START, SERVICE_STOP, SERVICE_PAUSE_CONTINUE, SERVICE_INTERROGATE, SERVICE_USER_DEFINED_CONTROL, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNERTrue1
Fn
STARTcEMAEwpbparameters = 0False1
Fn
GET_INFOcEMAEwpbtype = StatusTrue1
Fn
Registry (10)
+
OperationKeyAdditional InformationSuccessCountLogfile
OPEN_KEYHKEY_CURRENT_USER\software\microsoft\windows\currentversion\runTrue1
Fn
OPEN_KEYHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runTrue1
Fn
OPEN_KEYHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonTrue2
Fn
READ_VALUEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogonvalue_name = Userinit, data_ident_out = C:\Windows\system32\userinit.exe,True1
Fn
READ_VALUEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogonvalue_name = Userinit, data_ident_out = 0False1
Fn
WRITE_VALUEHKEY_CURRENT_USER\software\microsoft\windows\currentversion\runvalue_name = XuMIAsww.exe, data = C:\Users\WI2yhmtI onvScY7Pe\ayooEMEE\XuMIAsww.exeTrue1
Fn
WRITE_VALUEHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runvalue_name = YOUMMIEo.exe, data = C:\ProgramData\VmYMsIgM\YOUMMIEo.exeTrue1
Fn
WRITE_VALUEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogonvalue_name = Userinit, data = C:\Windows\system32\userinit.exe,C:\ProgramData\VmYMsIgM\YOUMMIEo.exe,True1
Fn
WRITE_VALUEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogonvalue_name = Userinit, data = C:\ProgramData\VmYMsIgM\YOUMMIEo.exe,True1
Fn
User (2)
+
OperationUser/Group/ServerAdditional InformationSuccessCountLogfile
GET_CURRENTWI2yhmtI onvScY7PeTrue2
Fn
System (2)
+
OperationInformationSuccessCountLogfile
SLEEPduration = 159 milliseconds (0.159 seconds)True1
Fn
SLEEPduration = 50 milliseconds (0.050 seconds)True1
Fn
Mutex (12)
+
OperationNameAdditional InformationSuccessCountLogfile
CREATEAsEwIwsAinitial_owner = 0True1
Fn
CREATETYAckMgsinitial_owner = 0True1
Fn
RELEASEAsEwIwsATrue4
Fn
RELEASEFalse6
Fn
Process #2: xumiasww.exe
+
InformationValue
ID / OS PID#2 / 0xd78
OS Parent PID0xc8c (c:\users\wi2yhmti onvscy7pe\desktop\249bebc650b7160cfeee41d08bc61dc220ecb740.malware.exe)
Initial Working DirectoryC:\Users\WI2yhmtI onvScY7Pe\Desktop
File Namec:\users\wi2yhmti onvscy7pe\ayooemee\xumiasww.exe
Command Line"C:\Users\WI2yhmtI onvScY7Pe\ayooEMEE\XuMIAsww.exe"
MonitorStart Time: 00:01:04, Reason: Child Process
UnmonitorEnd Time: 00:02:42, Reason: Terminated by Timeout
Monitor Duration00:01:38
OS Thread IDs
#3
0xD7C
#4
0xD80
RemarksNo high level activity detected in monitored regions
Region
+
NameStart VAEnd VATypePermissionsMonitoredDumpYARA MatchActions
private_0x00000000000100000x000100000x0002ffffPrivate MemoryReadable, WritableTrueFalseFalse
pagefile_0x00000000000100000x000100000x0001ffffPagefile Backed MemoryReadable, WritableTrueFalseFalse
private_0x00000000000200000x000200000x00023fffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000000300000x000300000x00031fffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000000300000x000300000x00030fffPrivate MemoryReadable, WritableTrueFalseFalse
pagefile_0x00000000000400000x000400000x00053fffPagefile Backed MemoryReadableTrueFalseFalse
private_0x00000000000600000x000600000x0009ffffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000000a00000x000a00000x0019ffffPrivate MemoryReadable, WritableTrueFalseFalse
pagefile_0x00000000001a00000x001a00000x001a3fffPagefile Backed MemoryReadableTrueFalseFalse
private_0x00000000001b00000x001b00000x001b1fffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000001c00000x001c00000x001fffffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000002000000x002000000x00200fffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000002100000x002100000x0025dfffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x00000000002600000x002600000x0026ffffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000002700000x002700000x0027ffffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000002c00000x002c00000x003bffffPrivate MemoryReadable, WritableTrueFalseFalse
XuMIAsww.exe0x004000000x00600fffMemory Mapped FileReadable, Writable, ExecutableTrueTrueFalse
locale.nls0x006100000x006cdfffMemory Mapped FileReadableFalseFalseFalse
private_0x00000000006d00000x006d00000x007cffffPrivate MemoryReadable, WritableTrueFalseFalse
pagefile_0x00000000007d00000x007d00000x00957fffPagefile Backed MemoryReadableTrueFalseFalse
pagefile_0x00000000009600000x009600000x00ae0fffPagefile Backed MemoryReadableTrueFalseFalse
pagefile_0x0000000000af00000x00af00000x01eeffffPagefile Backed MemoryReadableTrueFalseFalse
wow64.dll0x53cc00000x53d0efffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
wow64cpu.dll0x53d100000x53d17fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
wow64win.dll0x53d200000x53d92fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
apphelp.dll0x74dc00000x74e50fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
msvcrt.dll0x74ef00000x74fadfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
KernelBase.dll0x752e00000x75455fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
imm32.dll0x754600000x7548afffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
kernel32.dll0x756500000x7573ffffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
gdi32.dll0x757900000x758dcfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
msctf.dll0x75d900000x75eaffffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
user32.dll0x75f100000x7604ffffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
ntdll.dll0x77dc00000x77f38fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
pagefile_0x000000007feb00000x7feb00000x7ffaffffPagefile Backed MemoryReadableTrueFalseFalse
pagefile_0x000000007ffb00000x7ffb00000x7ffd2fffPagefile Backed MemoryReadableTrueFalseFalse
private_0x000000007ffd80000x7ffd80000x7ffdafffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x000000007ffdb0000x7ffdb0000x7ffddfffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x000000007ffde0000x7ffde0000x7ffdefffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x000000007ffdf0000x7ffdf0000x7ffdffffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x000000007ffe00000x7ffe00000x7ffeffffPrivate MemoryReadableTrueFalseFalse
private_0x000000007fff00000x7fff00000x7ffb1ddcffffPrivate MemoryReadableTrueFalseFalse
ntdll.dll0x7ffb1ddd00000x7ffb1df91fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
private_0x00007ffb1df920000x7ffb1df920000x7ffffffeffffPrivate MemoryReadableTrueFalseFalse
Process #3: yoummieo.exe
+
InformationValue
ID / OS PID#3 / 0xdb8
OS Parent PID0xc8c (c:\users\wi2yhmti onvscy7pe\desktop\249bebc650b7160cfeee41d08bc61dc220ecb740.malware.exe)
Initial Working DirectoryC:\Users\WI2yhmtI onvScY7Pe\Desktop
File Namec:\programdata\vmymsigm\yoummieo.exe
Command Line"C:\ProgramData\VmYMsIgM\YOUMMIEo.exe"
MonitorStart Time: 00:01:25, Reason: Child Process
UnmonitorEnd Time: 00:02:42, Reason: Terminated by Timeout
Monitor Duration00:01:17
OS Thread IDs
#5
0xDBC
#6
0xDC0
RemarksNo high level activity detected in monitored regions
Region
+
NameStart VAEnd VATypePermissionsMonitoredDumpYARA MatchActions
private_0x00000000000100000x000100000x0002ffffPrivate MemoryReadable, WritableTrueFalseFalse
pagefile_0x00000000000100000x000100000x0001ffffPagefile Backed MemoryReadable, WritableTrueFalseFalse
private_0x00000000000200000x000200000x00023fffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000000300000x000300000x00030fffPrivate MemoryReadable, WritableTrueFalseFalse
pagefile_0x00000000000400000x000400000x00053fffPagefile Backed MemoryReadableTrueFalseFalse
private_0x00000000000600000x000600000x0009ffffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000000a00000x000a00000x0019ffffPrivate MemoryReadable, WritableTrueFalseFalse
pagefile_0x00000000001a00000x001a00000x001a3fffPagefile Backed MemoryReadableTrueFalseFalse
private_0x00000000001b00000x001b00000x001b1fffPrivate MemoryReadable, WritableTrueFalseFalse
locale.nls0x001c00000x0027dfffMemory Mapped FileReadableFalseFalseFalse
private_0x00000000002800000x002800000x002bffffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000002c00000x002c00000x002c0fffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000003500000x003500000x0035ffffPrivate MemoryReadable, WritableTrueFalseFalse
YOUMMIEo.exe0x004000000x005f2fffMemory Mapped FileReadable, Writable, ExecutableTrueTrueFalse
private_0x00000000006000000x006000000x006fffffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000007e00000x007e00000x008dffffPrivate MemoryReadable, WritableTrueFalseFalse
pagefile_0x00000000008e00000x008e00000x00a67fffPagefile Backed MemoryReadableTrueFalseFalse
private_0x0000000000a700000x00a700000x00b5cfffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
private_0x0000000000b700000x00b700000x00b7ffffPrivate MemoryReadable, WritableTrueFalseFalse
pagefile_0x0000000000b800000x00b800000x00d00fffPagefile Backed MemoryReadableTrueFalseFalse
pagefile_0x0000000000d100000x00d100000x0210ffffPagefile Backed MemoryReadableTrueFalseFalse
wow64.dll0x53cc00000x53d0efffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
wow64cpu.dll0x53d100000x53d17fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
wow64win.dll0x53d200000x53d92fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
apphelp.dll0x74dc00000x74e50fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
msvcrt.dll0x74ef00000x74fadfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
KernelBase.dll0x752e00000x75455fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
imm32.dll0x754600000x7548afffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
kernel32.dll0x756500000x7573ffffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
gdi32.dll0x757900000x758dcfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
msctf.dll0x75d900000x75eaffffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
user32.dll0x75f100000x7604ffffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
ntdll.dll0x77dc00000x77f38fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
pagefile_0x000000007feb00000x7feb00000x7ffaffffPagefile Backed MemoryReadableTrueFalseFalse
pagefile_0x000000007ffb00000x7ffb00000x7ffd2fffPagefile Backed MemoryReadableTrueFalseFalse
private_0x000000007ffd80000x7ffd80000x7ffdafffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x000000007ffdb0000x7ffdb0000x7ffddfffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x000000007ffde0000x7ffde0000x7ffdefffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x000000007ffdf0000x7ffdf0000x7ffdffffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x000000007ffe00000x7ffe00000x7ffeffffPrivate MemoryReadableTrueFalseFalse
private_0x000000007fff00000x7fff00000x7ffb1ddcffffPrivate MemoryReadableTrueFalseFalse
ntdll.dll0x7ffb1ddd00000x7ffb1df91fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
private_0x00007ffb1df920000x7ffb1df920000x7ffffffeffffPrivate MemoryReadableTrueFalseFalse
Process #4: System
+
InformationValue
ID / OS PID#4 / 0x4
OS Parent PID0xffffffffffffffff (Unknown)
Initial Working Directory
File NameSystem
Command Line
MonitorStart Time: 00:01:46, Reason: Created Daemon
UnmonitorEnd Time: 00:02:42, Reason: Terminated by Timeout
Monitor Duration00:00:56
OS Thread IDs
#7
0xC94
#8
0xCAC
#9
0x14
#10
0x2BC
#11
0x540
#12
0x4B8
#13
0x88C
#14
0xE8
#15
0x6D0
#16
0x234
#17
0x9F0
#18
0x84C
#19
0x7F0
#20
0x80
#21
0x234
#22
0x494
#23
0xAF8
#24
0xD0
#25
0xCC
#26
0xC8
#27
0xC4
#28
0x13C
#29
0x138
#30
0x30
#31
0x1C
#32
0xA60
#33
0xA2C
#34
0xA28
#35
0x93C
#36
0x6D8
#37
0x5C
#38
0xBFC
#39
0xBF0
#40
0x3C
#41
0xA8C
#42
0xA80
#43
0x974
#44
0x968
#45
0x80C
#46
0x4D8
#47
0x7DC
#48
0x7D4
#49
0xE4
#50
0x628
#51
0x624
#52
0x620
#53
0x610
#54
0xA4
#55
0x5B0
#56
0xB4
#57
0x554
#58
0x48
#59
0x530
#60
0x524
#61
0xB0
#62
0x4B0
#63
0x4A0
#64
0x6C
#65
0x464
#66
0x70
#67
0x450
#68
0x170
#69
0x84
#70
0x198
#71
0x74
#72
0x40
#73
0x35C
#74
0x8C
#75
0x78
#76
0x88
#77
0x2BC
#78
0x16C
#79
0x144
#80
0x44
#81
0x134
#82
0x124
#83
0x104
#84
0x38
#85
0x1A8
#86
0x7C
#87
0x20
#88
0x174
#89
0x168
#90
0x164
#91
0x160
#92
0x140
#93
0x34
#94
0x10
#95
0xA8
#96
0xB8
#97
0xF0
#98
0xC0
#99
0x60
#100
0x110
#101
0xBC
#102
0xEC
#103
0x64
#104
0x8
#105
0x0
#108
0x18
#109
0x24
#114
0x24C
RemarksNo high level activity detected in monitored regions
Region
+
NameStart VAEnd VATypePermissionsMonitoredDumpYARA MatchActions
ntdll.dll0x77dc00000x77f38fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
private_0x000000007ffe00000x7ffe00000x7ffeffffPrivate MemoryReadableTrueFalseFalse
pagefile_0x00000055000000000x55000000000x5500000fffPagefile Backed MemoryReadable, WritableTrueFalseFalse
pagefile_0x00000055000100000x55000100000x5500010fffPagefile Backed MemoryReadable, WritableTrueFalseFalse
pagefile_0x00000055000200000x55000200000x5500020fffPagefile Backed MemoryReadable, WritableTrueFalseFalse
ntdll.dll0x7ffb1ddd00000x7ffb1df91fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
Process #5: xuaecwog.exe
+
InformationValue
ID / OS PID#5 / 0xe00
OS Parent PID0x1dc (c:\windows\system32\services.exe)
Initial Working DirectoryC:\Windows\system32
File Namec:\programdata\baieaacu\xuaecwog.exe
Command LineC:\ProgramData\BAIEAAcU\xUAEcwog.exe
MonitorStart Time: 00:01:46, Reason: Created Daemon
UnmonitorEnd Time: 00:02:20, Reason: Terminated
Monitor Duration00:00:34
OS Thread IDs
#106
0xE04
#107
0xE08
RemarksNo high level activity detected in monitored regions
Region
+
NameStart VAEnd VATypePermissionsMonitoredDumpYARA MatchActions
private_0x00000000000100000x000100000x0002ffffPrivate MemoryReadable, WritableTrueFalseFalse
pagefile_0x00000000000100000x000100000x0001ffffPagefile Backed MemoryReadable, WritableTrueFalseFalse
private_0x00000000000200000x000200000x00023fffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000000300000x000300000x00030fffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000000300000x000300000x00030fffPrivate MemoryReadable, WritableTrueFalseFalse
pagefile_0x00000000000400000x000400000x00053fffPagefile Backed MemoryReadableTrueFalseFalse
private_0x00000000000600000x000600000x0009ffffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000000a00000x000a00000x0019ffffPrivate MemoryReadable, WritableTrueFalseFalse
pagefile_0x00000000001a00000x001a00000x001a3fffPagefile Backed MemoryReadableTrueFalseFalse
private_0x00000000001b00000x001b00000x001b1fffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000001c00000x001c00000x001fffffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000002000000x002000000x00200fffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000002200000x002200000x0022ffffPrivate MemoryReadable, WritableTrueFalseFalse
locale.nls0x002300000x002edfffMemory Mapped FileReadableFalseFalseFalse
private_0x00000000002f00000x002f00000x003effffPrivate MemoryReadable, WritableTrueFalseFalse
xUAEcwog.exe0x004000000x005fbfffMemory Mapped FileReadable, Writable, ExecutableTrueTrueFalse
pagefile_0x00000000006000000x006000000x006bffffPagefile Backed MemoryReadableTrueFalseFalse
private_0x00000000007000000x007000000x007fffffPrivate MemoryReadable, WritableTrueFalseFalse
pagefile_0x00000000008000000x008000000x00987fffPagefile Backed MemoryReadableTrueFalseFalse
pagefile_0x00000000009900000x009900000x00b10fffPagefile Backed MemoryReadableTrueFalseFalse
private_0x0000000000b200000x00b200000x00bacfffPrivate MemoryReadable, Writable, ExecutableTrueFalseFalse
wow64.dll0x53cc00000x53d0efffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
wow64cpu.dll0x53d100000x53d17fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
wow64win.dll0x53d200000x53d92fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
apphelp.dll0x74dc00000x74e50fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
KernelBase.dll0x752e00000x75455fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
kernel32.dll0x756500000x7573ffffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
gdi32.dll0x757900000x758dcfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
user32.dll0x75f100000x7604ffffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
ntdll.dll0x77dc00000x77f38fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
pagefile_0x000000007feb00000x7feb00000x7ffaffffPagefile Backed MemoryReadableTrueFalseFalse
pagefile_0x000000007ffb00000x7ffb00000x7ffd2fffPagefile Backed MemoryReadableTrueFalseFalse
private_0x000000007ffd80000x7ffd80000x7ffdafffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x000000007ffdb0000x7ffdb0000x7ffddfffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x000000007ffde0000x7ffde0000x7ffdefffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x000000007ffdf0000x7ffdf0000x7ffdffffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x000000007ffe00000x7ffe00000x7ffeffffPrivate MemoryReadableTrueFalseFalse
private_0x000000007fff00000x7fff00000x7ffb1ddcffffPrivate MemoryReadableTrueFalseFalse
ntdll.dll0x7ffb1ddd00000x7ffb1df91fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
private_0x00007ffb1df920000x7ffb1df920000x7ffffffeffffPrivate MemoryReadableTrueFalseFalse
Process #6: cmd.exe
(Host: 4, Network: 0)
+
InformationValue
ID / OS PID#6 / 0xe38
OS Parent PID0xc8c (c:\users\wi2yhmti onvscy7pe\desktop\249bebc650b7160cfeee41d08bc61dc220ecb740.malware.exe)
Initial Working DirectoryC:\Users\WI2yhmtI onvScY7Pe\Desktop
File Namec:\windows\syswow64\cmd.exe
Command LineC:\Windows\system32\cmd.exe /c "C:\Users\WI2yhmtI onvScY7Pe\Desktop\249bebc650b7160cfeee41d08bc61dc220ecb740.malware"
MonitorStart Time: 00:02:22, Reason: Child Process
UnmonitorEnd Time: 00:02:42, Reason: Terminated by Timeout
Monitor Duration00:00:20
OS Thread IDs
#110
0xE3C
#128
0xEAC
Region
+
NameStart VAEnd VATypePermissionsMonitoredDumpYARA MatchActions
cmd.exe0x000700000x000bffffMemory Mapped FileReadable, Writable, ExecutableTrueFalseFalse
pagefile_0x00000000003500000x003500000x0434ffffPagefile Backed Memory-TrueFalseFalse
private_0x00000000043500000x043500000x0436ffffPrivate MemoryReadable, WritableTrueFalseFalse
pagefile_0x00000000043500000x043500000x0435ffffPagefile Backed MemoryReadable, WritableTrueFalseFalse
private_0x00000000043600000x043600000x04363fffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000043700000x043700000x04371fffPrivate MemoryReadable, WritableTrueFalseFalse
pagefile_0x00000000043800000x043800000x04393fffPagefile Backed MemoryReadableTrueFalseFalse
private_0x00000000043a00000x043a00000x043dffffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000043e00000x043e00000x044dffffPrivate MemoryReadable, WritableTrueFalseFalse
pagefile_0x00000000044e00000x044e00000x044e3fffPagefile Backed MemoryReadableTrueFalseFalse
pagefile_0x00000000044f00000x044f00000x044f0fffPagefile Backed MemoryReadableTrueFalseFalse
private_0x00000000045000000x045000000x04501fffPrivate MemoryReadable, WritableTrueFalseFalse
locale.nls0x045100000x045cdfffMemory Mapped FileReadableFalseFalseFalse
private_0x00000000045e00000x045e00000x045effffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000045f00000x045f00000x0462ffffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000046300000x046300000x0472ffffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000047300000x047300000x0482ffffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000048900000x048900000x0489ffffPrivate MemoryReadable, WritableTrueFalseFalse
wow64.dll0x53cc00000x53d0efffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
wow64cpu.dll0x53d100000x53d17fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
wow64win.dll0x53d200000x53d92fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
msvcrt.dll0x74ef00000x74fadfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
KernelBase.dll0x752e00000x75455fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
kernel32.dll0x756500000x7573ffffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
ntdll.dll0x77dc00000x77f38fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
pagefile_0x000000007f1700000x7f1700000x7f26ffffPagefile Backed MemoryReadableTrueFalseFalse
pagefile_0x000000007f2700000x7f2700000x7f292fffPagefile Backed MemoryReadableTrueFalseFalse
private_0x000000007f2970000x7f2970000x7f299fffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x000000007f29a0000x7f29a0000x7f29afffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x000000007f29c0000x7f29c0000x7f29efffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x000000007f29f0000x7f29f0000x7f29ffffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x000000007ffe00000x7ffe00000x7ffeffffPrivate MemoryReadableTrueFalseFalse
private_0x000000007fff00000x7fff00000x7dfb1ddcffffPrivate MemoryReadableTrueFalseFalse
pagefile_0x00007dfb1ddd00000x7dfb1ddd00000x7ffb1ddcffffPagefile Backed Memory-TrueFalseFalse
ntdll.dll0x7ffb1ddd00000x7ffb1df91fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
private_0x00007ffb1df920000x7ffb1df920000x7ffffffeffffPrivate MemoryReadableTrueFalseFalse
Host Behavior
Module (3)
+
OperationModuleAdditional InformationSuccessCountLogfile
GET_HANDLEc:\windows\syswow64\cmd.exebase_address = 0x70000True1
Fn
GET_HANDLEc:\windows\syswow64\kernel32.dllbase_address = 0x75650000True1
Fn
GET_PROC_ADDRESSc:\windows\syswow64\kernel32.dllfunction = SetThreadUILanguage, address = 0x75692780True1
Fn
Registry (1)
+
OperationKeyAdditional InformationSuccessCountLogfile
OPEN_KEYHKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\SystemFalse1
Fn
Process #7: reg.exe
+
InformationValue
ID / OS PID#7 / 0xe4c
OS Parent PID0xc8c (c:\users\wi2yhmti onvscy7pe\desktop\249bebc650b7160cfeee41d08bc61dc220ecb740.malware.exe)
Initial Working DirectoryC:\Users\WI2yhmtI onvScY7Pe\Desktop
File Namec:\windows\syswow64\reg.exe
Command Linereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
MonitorStart Time: 00:02:23, Reason: Child Process
UnmonitorEnd Time: 00:02:42, Reason: Terminated by Timeout
Monitor Duration00:00:19
OS Thread IDs
#111
0xE50
RemarksNo high level activity detected in monitored regions
Region
+
NameStart VAEnd VATypePermissionsMonitoredDumpYARA MatchActions
reg.exe0x003a00000x003f2fffMemory Mapped FileReadable, Writable, ExecutableTrueFalseFalse
pagefile_0x0000000000c600000x00c600000x04c5ffffPagefile Backed Memory-TrueFalseFalse
private_0x0000000004c600000x04c600000x04c7ffffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x0000000004c800000x04c800000x04c81fffPrivate MemoryReadable, WritableTrueFalseFalse
pagefile_0x0000000004c900000x04c900000x04ca3fffPagefile Backed MemoryReadableTrueFalseFalse
private_0x0000000004cb00000x04cb00000x04ceffffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x0000000004cf00000x04cf00000x04d2ffffPrivate MemoryReadable, WritableTrueFalseFalse
pagefile_0x0000000004d300000x04d300000x04d33fffPagefile Backed MemoryReadableTrueFalseFalse
pagefile_0x0000000004d400000x04d400000x04d40fffPagefile Backed MemoryReadableTrueFalseFalse
private_0x0000000004d500000x04d500000x04d51fffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x0000000004f400000x04f400000x04f4ffffPrivate MemoryReadable, WritableTrueFalseFalse
wow64.dll0x53cc00000x53d0efffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
wow64win.dll0x53d200000x53d92fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
ntdll.dll0x77dc00000x77f38fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
pagefile_0x000000007e4c00000x7e4c00000x7e4e2fffPagefile Backed MemoryReadableTrueFalseFalse
private_0x000000007e4e80000x7e4e80000x7e4e8fffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x000000007e4ec0000x7e4ec0000x7e4eefffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x000000007e4ef0000x7e4ef0000x7e4effffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x000000007ffe00000x7ffe00000x7ffeffffPrivate MemoryReadableTrueFalseFalse
private_0x000000007fff00000x7fff00000x7dfb1ddcffffPrivate MemoryReadableTrueFalseFalse
pagefile_0x00007dfb1ddd00000x7dfb1ddd00000x7ffb1ddcffffPagefile Backed Memory-TrueFalseFalse
ntdll.dll0x7ffb1ddd00000x7ffb1df91fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
private_0x00007ffb1df920000x7ffb1df920000x7ffffffeffffPrivate MemoryReadableTrueFalseFalse
Process #9: reg.exe
(Host: 9, Network: 0)
+
InformationValue
ID / OS PID#9 / 0xe60
OS Parent PID0xc8c (c:\users\wi2yhmti onvscy7pe\desktop\249bebc650b7160cfeee41d08bc61dc220ecb740.malware.exe)
Initial Working DirectoryC:\Users\WI2yhmtI onvScY7Pe\Desktop
File Namec:\windows\syswow64\reg.exe
Command Linereg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
MonitorStart Time: 00:02:26, Reason: Child Process
UnmonitorEnd Time: 00:02:42, Reason: Terminated by Timeout
Monitor Duration00:00:16
OS Thread IDs
#115
0xE64
#131
0xEC0
Region
+
NameStart VAEnd VATypePermissionsMonitoredDumpYARA MatchActions
reg.exe0x003a00000x003f2fffMemory Mapped FileReadable, Writable, ExecutableTrueFalseFalse
pagefile_0x00000000009b00000x009b00000x049affffPagefile Backed Memory-TrueFalseFalse
private_0x00000000049b00000x049b00000x049cffffPrivate MemoryReadable, WritableTrueFalseFalse
pagefile_0x00000000049b00000x049b00000x049bffffPagefile Backed MemoryReadable, WritableTrueFalseFalse
private_0x00000000049c00000x049c00000x049c3fffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000049d00000x049d00000x049d1fffPrivate MemoryReadable, WritableTrueFalseFalse
pagefile_0x00000000049e00000x049e00000x049f3fffPagefile Backed MemoryReadableTrueFalseFalse
private_0x0000000004a000000x04a000000x04a3ffffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x0000000004a400000x04a400000x04a7ffffPrivate MemoryReadable, WritableTrueFalseFalse
pagefile_0x0000000004a800000x04a800000x04a83fffPagefile Backed MemoryReadableTrueFalseFalse
pagefile_0x0000000004a900000x04a900000x04a90fffPagefile Backed MemoryReadableTrueFalseFalse
private_0x0000000004aa00000x04aa00000x04aa1fffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x0000000004ab00000x04ab00000x04aeffffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x0000000004af00000x04af00000x04b2ffffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x0000000004b400000x04b400000x04b4ffffPrivate MemoryReadable, WritableTrueFalseFalse
locale.nls0x04b500000x04c0dfffMemory Mapped FileReadableFalseFalseFalse
private_0x0000000004ca00000x04ca00000x04d9ffffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x0000000004e400000x04e400000x04e4ffffPrivate MemoryReadable, WritableTrueFalseFalse
wow64.dll0x53cc00000x53d0efffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
wow64cpu.dll0x53d100000x53d17fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
wow64win.dll0x53d200000x53d92fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
bcryptprimitives.dll0x74e600000x74eb8fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
cryptbase.dll0x74ec00000x74ec9fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
sspicli.dll0x74ed00000x74eedfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
msvcrt.dll0x74ef00000x74fadfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
advapi32.dll0x74fb00000x7502afffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
KernelBase.dll0x752e00000x75455fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
kernel32.dll0x756500000x7573ffffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
ws2_32.dll0x75b900000x75bebfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
sechost.dll0x75eb00000x75ef2fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
nsi.dll0x760500000x76056fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
rpcrt4.dll0x768600000x7690bfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
ntdll.dll0x77dc00000x77f38fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
pagefile_0x000000007f8900000x7f8900000x7f98ffffPagefile Backed MemoryReadableTrueFalseFalse
pagefile_0x000000007f9900000x7f9900000x7f9b2fffPagefile Backed MemoryReadableTrueFalseFalse
private_0x000000007f9b50000x7f9b50000x7f9b5fffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x000000007f9b90000x7f9b90000x7f9b9fffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x000000007f9ba0000x7f9ba0000x7f9bcfffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x000000007f9bd0000x7f9bd0000x7f9bffffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x000000007ffe00000x7ffe00000x7ffeffffPrivate MemoryReadableTrueFalseFalse
private_0x000000007fff00000x7fff00000x7dfb1ddcffffPrivate MemoryReadableTrueFalseFalse
pagefile_0x00007dfb1ddd00000x7dfb1ddd00000x7ffb1ddcffffPagefile Backed Memory-TrueFalseFalse
ntdll.dll0x7ffb1ddd00000x7ffb1df91fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
private_0x00007ffb1df920000x7ffb1df920000x7ffffffeffffPrivate MemoryReadableTrueFalseFalse
Host Behavior
File (4)
+
OperationFilenameAdditional InformationSuccessCountLogfile
OPENSTD_OUTPUT_HANDLETrue3
Fn
WRITESTD_OUTPUT_HANDLEsize = 39True1
Fn
Data
Module (1)
+
OperationModuleAdditional InformationSuccessCountLogfile
GET_HANDLEc:\windows\syswow64\reg.exebase_address = 0x3a0000True1
Fn
Registry (4)
+
OperationKeyAdditional InformationSuccessCountLogfile
CREATE_KEYHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AdvancedTrue1
Fn
OPEN_KEYHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\SystemFalse1
Fn
READ_VALUEHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advancedvalue_name = HiddenTrue1
Fn
WRITE_VALUEHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advancedvalue_name = Hidden, data = 2True1
Fn
Process #10: reg.exe
(Host: 9, Network: 0)
+
InformationValue
ID / OS PID#10 / 0xe68
OS Parent PID0xc8c (c:\users\wi2yhmti onvscy7pe\desktop\249bebc650b7160cfeee41d08bc61dc220ecb740.malware.exe)
Initial Working DirectoryC:\Users\WI2yhmtI onvScY7Pe\Desktop
File Namec:\windows\syswow64\reg.exe
Command Linereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
MonitorStart Time: 00:02:26, Reason: Child Process
UnmonitorEnd Time: 00:02:42, Reason: Terminated by Timeout
Monitor Duration00:00:16
OS Thread IDs
#116
0xE6C
#132
0xED0
Region
+
NameStart VAEnd VATypePermissionsMonitoredDumpYARA MatchActions
reg.exe0x003a00000x003f2fffMemory Mapped FileReadable, Writable, ExecutableTrueFalseFalse
pagefile_0x00000000004100000x004100000x0440ffffPagefile Backed Memory-TrueFalseFalse
private_0x00000000044100000x044100000x0442ffffPrivate MemoryReadable, WritableTrueFalseFalse
pagefile_0x00000000044100000x044100000x0441ffffPagefile Backed MemoryReadable, WritableTrueFalseFalse
private_0x00000000044200000x044200000x04423fffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000044300000x044300000x04431fffPrivate MemoryReadable, WritableTrueFalseFalse
pagefile_0x00000000044400000x044400000x04453fffPagefile Backed MemoryReadableTrueFalseFalse
private_0x00000000044600000x044600000x0449ffffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000044a00000x044a00000x044dffffPrivate MemoryReadable, WritableTrueFalseFalse
pagefile_0x00000000044e00000x044e00000x044e3fffPagefile Backed MemoryReadableTrueFalseFalse
pagefile_0x00000000044f00000x044f00000x044f0fffPagefile Backed MemoryReadableTrueFalseFalse
private_0x00000000045000000x045000000x04501fffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000045200000x045200000x0452ffffPrivate MemoryReadable, WritableTrueFalseFalse
locale.nls0x045300000x045edfffMemory Mapped FileReadableFalseFalseFalse
private_0x00000000045f00000x045f00000x0462ffffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000046300000x046300000x0466ffffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000046800000x046800000x0477ffffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x00000000049000000x049000000x0490ffffPrivate MemoryReadable, WritableTrueFalseFalse
wow64.dll0x53cc00000x53d0efffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
wow64cpu.dll0x53d100000x53d17fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
wow64win.dll0x53d200000x53d92fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
bcryptprimitives.dll0x74e600000x74eb8fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
cryptbase.dll0x74ec00000x74ec9fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
sspicli.dll0x74ed00000x74eedfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
msvcrt.dll0x74ef00000x74fadfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
advapi32.dll0x74fb00000x7502afffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
KernelBase.dll0x752e00000x75455fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
kernel32.dll0x756500000x7573ffffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
ws2_32.dll0x75b900000x75bebfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
sechost.dll0x75eb00000x75ef2fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
nsi.dll0x760500000x76056fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
rpcrt4.dll0x768600000x7690bfffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
ntdll.dll0x77dc00000x77f38fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
pagefile_0x000000007ef600000x7ef600000x7f05ffffPagefile Backed MemoryReadableTrueFalseFalse
pagefile_0x000000007f0600000x7f0600000x7f082fffPagefile Backed MemoryReadableTrueFalseFalse
private_0x000000007f0850000x7f0850000x7f087fffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x000000007f0880000x7f0880000x7f088fffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x000000007f08a0000x7f08a0000x7f08cfffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x000000007f08d0000x7f08d0000x7f08dfffPrivate MemoryReadable, WritableTrueFalseFalse
private_0x000000007ffe00000x7ffe00000x7ffeffffPrivate MemoryReadableTrueFalseFalse
private_0x000000007fff00000x7fff00000x7dfb1ddcffffPrivate MemoryReadableTrueFalseFalse
pagefile_0x00007dfb1ddd00000x7dfb1ddd00000x7ffb1ddcffffPagefile Backed Memory-TrueFalseFalse
ntdll.dll0x7ffb1ddd00000x7ffb1df91fffMemory Mapped FileReadable, Writable, ExecutableFalseFalseFalse
private_0x00007ffb1df920000x7ffb1df920000x7ffffffeffffPrivate MemoryReadableTrueFalseFalse
Host Behavior
File (4)
+
OperationFilenameAdditional InformationSuccessCountLogfile
OPENSTD_OUTPUT_HANDLETrue3
Fn
WRITESTD_OUTPUT_HANDLEsize = 39True1
Fn
Data
Module (1)
+
OperationModuleAdditional InformationSuccessCountLogfile
GET_HANDLEc:\windows\syswow64\reg.exebase_address = 0x3a0000True1
Fn
Registry (4)
+
OperationKeyAdditional InformationSuccessCountLogfile
CREATE_KEYHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\SystemTrue1
Fn
OPEN_KEYHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\SystemFalse1
Fn
READ_VALUEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Systemvalue_name = EnableLUATrue1
Fn
WRITE_VALUEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Systemvalue_name = EnableLUA, data = 0True1
Fn
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefox with deactivated setting "security.fileuri.strict_origin_policy".


Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image