5d4e22be...6c81 | Grouped Behavior
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Keylogger, Spyware, Trojan

nqmdwcixbxs.exe

Windows Exe (x86-32)

Created at 2019-07-21T23:34:00

...

Remarks (1/1)

(0x2000010): The operating system was rebooted during the analysis.

Grouped Sequential

Monitored Processes

Process Graph

Process Graph Legend
Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0x964 Analysis Target High (Elevated) nqmdwcixbxs.exe "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nqmdwcixbxs.exe" -
#2 0xa14 Child Process High (Elevated) nqmdwcixbxs.exe "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nqmdwcixbxs.exe" #1

Behavior Information - Grouped by Category

Process #1: nqmdwcixbxs.exe
330 0
»
Information Value
ID #1
File Name c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nqmdwcixbxs.exe"
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:26, Reason: Analysis Target
Unmonitor End Time: 00:00:36, Reason: Self Terminated
Monitor Duration 00:00:10
OS Process Information
»
Information Value
PID 0x964
Parent PID 0x45c (c:\windows\explorer.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 968
0x 96C
0x 970
0x 980
0x 984
0x 988
0x A20
0x A2C
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points AV YARA Actions
system.drawing.ni.dll 0x73E70000 0x73FF7FFF Content Changed - 32-bit 0x73EA6078, 0x73EBA5E0 False False
...
system.drawing.ni.dll 0x73E70000 0x73FF7FFF Content Changed - 32-bit 0x73EBFEDC False False
...
system.drawing.ni.dll 0x73E70000 0x73FF7FFF Content Changed - 32-bit 0x73EBBB90, 0x73EB9940 False False
...
system.drawing.ni.dll 0x73E70000 0x73FF7FFF Content Changed - 32-bit 0x73EB8690 False False
...
microsoft.visualbasic.ni.dll 0x747E0000 0x7497AFFF Content Changed - 32-bit 0x748B62B0, 0x7480CAB0 False False
...
microsoft.visualbasic.ni.dll 0x747E0000 0x7497AFFF Content Changed - 32-bit 0x748B11C4 False False
...
microsoft.visualbasic.ni.dll 0x747E0000 0x7497AFFF Content Changed - 32-bit 0x748BA025, 0x748B9DF8, ... False False
...
microsoft.visualbasic.ni.dll 0x747E0000 0x7497AFFF Content Changed - 32-bit 0x748BC078, 0x748CB090, ... False False
...
microsoft.visualbasic.ni.dll 0x747E0000 0x7497AFFF Content Changed - 32-bit 0x7490A650, 0x748B29D1, ... False False
...
microsoft.visualbasic.ni.dll 0x747E0000 0x7497AFFF Content Changed - 32-bit 0x748CD000 False False
...
microsoft.visualbasic.ni.dll 0x747E0000 0x7497AFFF Content Changed - 32-bit 0x748D99AC, 0x748D8800 False False
...
microsoft.visualbasic.ni.dll 0x747E0000 0x7497AFFF Content Changed - 32-bit 0x74937313, 0x748D61C4 False False
...
microsoft.visualbasic.ni.dll 0x747E0000 0x7497AFFF Content Changed - 32-bit 0x748C9B60 False False
...
microsoft.visualbasic.ni.dll 0x747E0000 0x7497AFFF Content Changed - 32-bit 0x74936C58, 0x748D2EF4, ... False False
...
microsoft.visualbasic.ni.dll 0x747E0000 0x7497AFFF Content Changed - 32-bit 0x748D06C8, 0x748D56B0 False False
...
system.drawing.ni.dll 0x73E70000 0x73FF7FFF Content Changed - 32-bit 0x73EB1FAC False False
...
Host Behavior
File (1)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nqmdwcixbxs.exe.config type = file_attributes False 1
Fn
Module (311)
»
Operation Module Additional Information Success Count Logfile
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nqmdwcixbxs.exe, size = 2048 True 10
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\SysWOW64\ntdll.dll, size = 2048 True 7
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\SYSTEM32\MSCOREE.DLL, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\KERNEL32.dll, size = 2048 True 1
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\KERNELBASE.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\ADVAPI32.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\msvcrt.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\SysWOW64\sechost.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\RPCRT4.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\SspiCli.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\CRYPTBASE.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\SHLWAPI.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\GDI32.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\USER32.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\LPK.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\USP10.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\IMM32.DLL, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\MSCTF.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\VERSION.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\MSVCR80.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\shell32.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\ole32.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\profapi.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\uxtheme.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9e0a3b9b9f457233a335d7fba8f95419\System.ni.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\08d608378aa405adc844f3cf36974b8c\Microsoft.VisualBasic.ni.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\dbfe8642a8ed7b2b103ad28e0c96418a\System.Drawing.ni.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\system32\WindowsCodecs.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\psapi.dll, size = 2048 True 9
Fn
Get Filename c:\windows\syswow64\kernel32.dll process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\syswow64\KERNEL32.dll, size = 2048 True 8
Fn
Get Filename c:\windows\syswow64\ntdll.dll process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Windows\SysWOW64\ntdll.dll, size = 2048 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LoadLibraryA, address_out = 0x76c349d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessA, address_out = 0x76c31072 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetThreadContext, address_out = 0x76c579d4 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtUnmapViewOfSection, address_out = 0x7714fc70 True 1
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
System (3)
»
Operation Additional Information Success Count Logfile
Get Info type = Operating System True 3
Fn
Process #2: nqmdwcixbxs.exe
609 14
»
Information Value
ID #2
File Name c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nqmdwcixbxs.exe"
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:34, Reason: Child Process
Unmonitor End Time: 00:01:14, Reason: Self Terminated
Monitor Duration 00:00:40
OS Process Information
»
Information Value
PID 0xa14
Parent PID 0x964 (c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A18
0x A28
0x A30
0x A38
0x A3C
0x A40
0x A44
0x A7C
0x A80
0x A84
0x A88
0x A8C
0x A94
0x A98
0x A9C
0x AA0
0x AAC
0x AC4
0x AC8
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points AV YARA Actions
custommarshalers.ni.dll 0x74710000 0x74749FFF Content Changed - 32-bit 0x74730E64 False False
...
custommarshalers.ni.dll 0x74710000 0x74749FFF Content Changed - 32-bit 0x74735920 False False
...
system.management.ni.dll 0x73B50000 0x73C53FFF Content Changed - 32-bit 0x73B6F158, 0x73BD3F00, ... False False
...
system.management.ni.dll 0x73B50000 0x73C53FFF Content Changed - 32-bit 0x73C07874, 0x73BD4608, ... False False
...
system.management.ni.dll 0x73B50000 0x73C53FFF Content Changed - 32-bit 0x73BCC558, 0x73BCFB2B, ... False False
...
system.management.ni.dll 0x73B50000 0x73C53FFF Content Changed - 32-bit 0x73BD94F0, 0x73BD01D0 False False
...
system.management.ni.dll 0x73B50000 0x73C53FFF Content Changed - 32-bit 0x73BD8E08, 0x73C04B38 False False
...
system.management.ni.dll 0x73B50000 0x73C53FFF Content Changed - 32-bit 0x73BD2800, 0x73C0535C, ... False False
...
system.management.ni.dll 0x73B50000 0x73C53FFF Content Changed - 32-bit 0x73C0CDC4 False False
...
system.management.ni.dll 0x73B50000 0x73C53FFF Content Changed - 32-bit 0x73C0E000, 0x73C0D00D False False
...
system.management.ni.dll 0x73B50000 0x73C53FFF Content Changed - 32-bit 0x73C19590 False False
...
system.management.ni.dll 0x73B50000 0x73C53FFF Content Changed - 32-bit 0x73BCE2A0 False False
...
system.management.ni.dll 0x73B50000 0x73C53FFF Content Changed - 32-bit 0x73BDB320 False False
...
system.management.ni.dll 0x73B50000 0x73C53FFF Content Changed - 32-bit 0x73BCC524 False False
...
system.management.ni.dll 0x73B50000 0x73C53FFF Content Changed - 32-bit 0x73B6DA64 False False
...
system.management.ni.dll 0x73B50000 0x73C53FFF Content Changed - 32-bit 0x73BDB000, 0x73BDAF84, ... False False
...
buffer 0x006E0000 0x006E0FFF First Execution - 32-bit 0x006E0638, 0x006E09C4, ... False False
...
system.configuration.ni.dll 0x73A50000 0x73B40FFF Content Changed - 32-bit 0x73A7D073 False False
...
system.configuration.ni.dll 0x73A50000 0x73B40FFF Content Changed - 32-bit 0x73A7E149 False False
...
system.configuration.ni.dll 0x73A50000 0x73B40FFF Content Changed - 32-bit 0x73A80050 False False
...
system.configuration.ni.dll 0x73A50000 0x73B40FFF Content Changed - 32-bit 0x73A81000 False False
...
system.configuration.ni.dll 0x73A50000 0x73B40FFF Content Changed - 32-bit 0x73A78650, 0x73A7A320, ... False False
...
system.xml.ni.dll 0x71100000 0x71635FFF Content Changed - 32-bit 0x711AF780 False False
...
system.xml.ni.dll 0x71100000 0x71635FFF Content Changed - 32-bit 0x7117E1A0, 0x71199290, ... False False
...
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nqmdwcixbxs.exe 440.00 KB MD5: ef234f23724dc00e693bdb1b1218c1e8
SHA1: 27f0ca2bf23aca5bf4c737480038f23c7eea5b96
SHA256: 5d4e22be32dce5474b61e0df305861f2c07b10ddadbc2dc937481c7d2b736c81
SSDeep: 6144:gzxCyj385/GUCdxzGrGHqveLAS1aP4vAvKhAp081nNVjqKoe:gw8RxSle7AP4oy6nnjqKoe 		False
...
Host Behavior
COM (20)
»
Operation Class Interface Additional Information Success Count Logfile
Create WBEMLocator IWbemLocator cls_context = CLSCTX_INPROC_SERVER True 2
Fn
Create WbemDefaultPathParser IWbemPath cls_context = CLSCTX_INPROC_SERVER True 3
Fn
Create WbemDefaultPathParser IClassFactory cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 5
Fn
Create WBEMLocator IClassFactory cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Create 3C374A40-BAE4-11CF-BF7D-00AA006946EE 00000001-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Create WScript.Shell IClassFactory cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 6
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = \\.\root\cimv2 True 1
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = \\.\root\cimv2 True 1
Fn
File (89)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nqmdwcixbxs.exe.config desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\Chrome\User Data\Default\Login Data desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Mozilla\Firefox\profiles.ini desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Flock\Browser\profiles.ini desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Flock\Browser\signons3.txt desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Thunderbird\profiles.ini desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\FileZilla\recentservers.xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\CoreFTP\sites.idx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ False 1
Fn
Create Directory C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Java - True 1
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config type = file_attributes True 1
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config type = file_attributes True 2
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config type = file_type True 2
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nqmdwcixbxs.exe.config type = file_attributes False 3
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Java\ type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Java type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming type = file_attributes True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData type = file_attributes True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz type = file_attributes True 1
Fn
Get Info C:\Users type = file_attributes True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nqmdwcixbxs.exe type = file_attributes True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Java\JavaUpdtr.exe type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Java\JavaUpdtr.exe type = file_attributes True 1
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config type = file_type True 2
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\Chrome\User Data\Default\Login Data type = file_attributes True 3
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\Chrome\User Data\Default\Login Data type = file_type True 2
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\Chrome\User Data\Default\Login Data type = size, size_out = 0 True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Mozilla\Firefox\profiles.ini type = file_type True 2
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Mozilla\Firefox\Profiles\silmbjec.default\logins.json type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Opera Software\Opera Stable\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data type = file_attributes False 1
Fn
Get Info C:\Program Files (x86)\Common Files\Apple\Apple Application Support\plutil.exe type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Mozilla\SeaMonkey\logins.json type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Comodo\Dragon\User Data\Default\Login Data type = file_attributes False 1
Fn
Get Info C:\Program Files (x86)\Mozilla Firefox\ type = file_attributes True 3
Fn
Get Info C:\Program Files (x86)\Mozilla Thunderbird\ type = file_attributes False 2
Fn
Get Info C:\Program Files (x86)\SeaMonkey\ type = file_attributes False 2
Fn
Get Info C:\Program Files (x86)\Flock\ type = file_attributes False 2
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Chromium\User Data\Default\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Thunderbird\signons.sqlite type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Opera Mail\Opera Mail\wand.dat type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Pocomail\accounts.ini type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\The Bat! type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini type = file_attributes False 1
Fn
Get Info C:\ProgramData\DynDNS\Updater\config.dyndns type = file_attributes False 1
Fn
Get Info C:\Users\All Users\AppData\Roaming\FlashFXP\3quick.dat type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\.purple\accounts.xml type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ftplist.txt type = file_attributes False 1
Fn
Get Info C:\Program Files (x86)\jDownloader\config\database.script type = file_attributes False 1
Fn
Copy C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Java\JavaUpdtr.exe source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nqmdwcixbxs.exe True 1
Fn
Move C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\\tmpG554.tmp source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nqmdwcixbxs.exe, flags = MOVEFILE_WRITE_THROUGH True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config size = 4096, size_out = 237 True 1
Fn
Data
Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config size = 4096, size_out = 237 True 1
Fn
Data
Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config size = 4096, size_out = 0 True 1
Fn
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\Chrome\User Data\Default\Login Data size = 18432, size_out = 18432 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Mozilla\Firefox\profiles.ini size = 4096, size_out = 111 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Mozilla\Firefox\profiles.ini size = 4096, size_out = 0 True 1
Fn
Delete C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Java\JavaUpdtr.exe:Zone.Identifier - False 1
Fn
Registry (215)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance - True 1
Fn
Open Key HKEY_CURRENT_USER - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 - False 131
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Aerofox\FoxmailPreview - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Aerofox\Foxmail\V3.1 - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine - False 2
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Paltalk - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Vitalwerks\DUC - False 2
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Vitalwerks\DUC - False 2
Fn
Open Key HKEY_CURRENT_USER\Software\DownloadManager\Passwords - False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting value_name = Default Impersonation Level, data = 3 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting value_name = Default Namespace True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting value_name = Default Namespace, data = 114 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = ProductId, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework value_name = DbgJITDebugLaunchSetting, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework value_name = DbgManagedDebugger, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion value_name = InstallationType, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion value_name = InstallationType, data = Client, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = Library, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = Library, data = netfxperf.dll, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = First Counter, data = 4986, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = Counter Names, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows value_name = Load, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = Email, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = IMAP Password, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = POP3 Password, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = HTTP Password, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = SMTP Password, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = Email, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = IMAP Password, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = POP3 Password, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = HTTP Password, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = SMTP Password, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = Email, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = IMAP Password, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = POP3 Password, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = HTTP Password, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = SMTP Password, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 value_name = Email, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 value_name = IMAP Password, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 value_name = POP3 Password, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 value_name = HTTP Password, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 value_name = SMTP Password, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites value_name = Host, data = 2147942402 False 1
Fn
Read Value - value_name = HKEY_CURRENT_USERSoftwareFTPWareCOREFTPSitesPort, data = 2147942403 False 1
Fn
Read Value - value_name = HKEY_CURRENT_USERSoftwareFTPWareCOREFTPSitesUser, data = 2147942403 False 1
Fn
Read Value - value_name = HKEY_CURRENT_USERSoftwareFTPWareCOREFTPSitesPW, data = 2147942403 False 1
Fn
Read Value - value_name = HKEY_CURRENT_USERSoftwareFTPWareCOREFTPSitesName, data = 2147942403 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FTP Commander value_name = UninstallString, data = 2147942402 False 1
Fn
Write Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows value_name = Load, data = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Java\JavaUpdtr.exe, size = 130, type = REG_SZ True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 - True 1
Fn
Get Key Info HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 - True 1
Fn
Module (69)
»
Operation Module Additional Information Success Count Logfile
Load C:\Windows\system32\advapi32.dll base_address = 0x74d40000 True 1
Fn
Load C:\Windows\Microsoft.NET\Framework\v2.0.50727\\wminet_utils.dll base_address = 0x6a310000 True 1
Fn
Load C:\Program Files (x86)\Mozilla Firefox\\msvcr100.dll base_address = 0x70370000 True 1
Fn
Load C:\Program Files (x86)\Mozilla Firefox\\msvcp100.dll base_address = 0x70300000 True 1
Fn
Load C:\Program Files (x86)\Mozilla Firefox\\msvcr120.dll base_address = 0x0 False 1
Fn
Load C:\Program Files (x86)\Mozilla Firefox\\msvcp120.dll base_address = 0x0 False 1
Fn
Load C:\Program Files (x86)\Mozilla Firefox\\msvcp140.dll base_address = 0x0 False 2
Fn
Load C:\Program Files (x86)\Mozilla Firefox\\vcruntime140.dll base_address = 0x0 False 1
Fn
Load C:\Program Files (x86)\Mozilla Firefox\mozglue.dll base_address = 0x702d0000 True 1
Fn
Load C:\Program Files (x86)\Mozilla Firefox\nss3.dll base_address = 0x70110000 True 1
Fn
Get Handle c:\windows\syswow64\user32.dll base_address = 0x74f40000 True 1
Fn
Get Handle private_0x0000000000400000 base_address = 0x400000 True 4
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\nqmdwcixbxs.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\nqmdwcixbxs.exe, size = 256 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = DuplicateTokenEx, address_out = 0x74d4ca24 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = ResetSecurity, address_out = 0x6a311944 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = SetSecurity, address_out = 0x6a311986 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = BlessIWbemServices, address_out = 0x6a3119cc True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = BlessIWbemServicesObject, address_out = 0x6a311a1e True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = GetPropertyHandle, address_out = 0x6a311a70 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = WritePropertyValue, address_out = 0x6a311a89 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = Clone, address_out = 0x6a311aa2 True 2
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = VerifyClientKey, address_out = 0x6a312270 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = GetQualifierSet, address_out = 0x6a311d73 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = Get, address_out = 0x6a311b96 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = Put, address_out = 0x6a311b7a True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = Delete, address_out = 0x6a311bb5 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = GetNames, address_out = 0x6a311bc8 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = BeginEnumeration, address_out = 0x6a311be4 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = Next, address_out = 0x6a311bf7 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = EndEnumeration, address_out = 0x6a311c16 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = GetPropertyQualifierSet, address_out = 0x6a311c26 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = GetObjectText, address_out = 0x6a311c3c True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = SpawnDerivedClass, address_out = 0x6a311c52 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = SpawnInstance, address_out = 0x6a311c68 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = CompareTo, address_out = 0x6a311c7e True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = GetPropertyOrigin, address_out = 0x6a311c94 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = InheritsFrom, address_out = 0x6a311caa True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = GetMethod, address_out = 0x6a311cbd True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = PutMethod, address_out = 0x6a311cd9 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = DeleteMethod, address_out = 0x6a311cf5 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = BeginMethodEnumeration, address_out = 0x6a311d08 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = NextMethod, address_out = 0x6a311d1b True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = EndMethodEnumeration, address_out = 0x6a311d37 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = GetMethodQualifierSet, address_out = 0x6a311d47 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = GetMethodOrigin, address_out = 0x6a311d5d True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = QualifierSet_Get, address_out = 0x6a311d86 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = QualifierSet_Put, address_out = 0x6a311da2 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = QualifierSet_Delete, address_out = 0x6a311dbb True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = QualifierSet_GetNames, address_out = 0x6a311dce True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = QualifierSet_BeginEnumeration, address_out = 0x6a311de4 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = QualifierSet_Next, address_out = 0x6a311df7 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = QualifierSet_EndEnumeration, address_out = 0x6a311e13 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = GetCurrentApartmentType, address_out = 0x6a311d73 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = GetDemultiplexedStub, address_out = 0x6a3118fd True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = CreateInstanceEnumWmi, address_out = 0x6a311580 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = CreateClassEnumWmi, address_out = 0x6a3115f6 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = ExecQueryWmi, address_out = 0x6a31169e True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = ExecNotificationQueryWmi, address_out = 0x6a311717 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = PutInstanceWmi, address_out = 0x6a311790 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = PutClassWmi, address_out = 0x6a311810 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = CloneEnumWbemClassObject, address_out = 0x6a311890 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = ConnectServerWmi, address_out = 0x6a3124b7 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DefWindowProcW, address_out = 0x771625dd True 1
Fn
Get Address c:\program files (x86)\mozilla firefox\nss3.dll function = NSS_Init, address_out = 0x701cd70b True 1
Fn
User (2)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Get Username user_name_out = 5p5NrGJn0jS HALPmcxz True 1
Fn
Window (6)
»
Operation Window Name Additional Information Success Count Logfile
Create - class_name = WindowsForms10.Window.0.app.0.33c0d9d, wndproc_parameter = 0 True 1
Fn
Create - class_name = WindowsForms10.Window.8.app.0.33c0d9d, wndproc_parameter = 0 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.0.app.0.33c0d9d, index = -4, new_long = 1997940189 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.0.app.0.33c0d9d, index = -4, new_long = 5182258 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.33c0d9d, index = -4, new_long = 1997940189 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.33c0d9d, index = -4, new_long = 5183418 True 1
Fn
Keyboard (82)
»
Operation Additional Information Success Count Logfile
Get Info type = KB_LOCALE_ID, os_tid = 1120, result_out = 67699721 True 2
Fn
Read result_out = 1 True 2
Fn
Read virtual_key_code = VK_SHIFT, result_out = 0 True 24
Fn
Read virtual_key_code = VK_CONTROL, result_out = 0 True 24
Fn
Read virtual_key_code = VK_MENU, result_out = 0 True 9
Fn
Read virtual_key_code = VK_CAPITAL, result_out = 0 True 6
Fn
Read virtual_key_code = VK_MENU, result_out = -127 True 9
Fn
Read virtual_key_code = VK_MENU, result_out = 1 True 6
Fn
System (64)
»
Operation Additional Information Success Count Logfile
Get foreground window - True 17
Fn
Get window text window_text = 3860044 True 10
Fn
Get window text window_text = 3860044 False 5
Fn
Get Computer Name result_out = XDUWTFONO True 2
Fn
Get Time type = System Time, time = 2019-07-21 23:35:26 (UTC) True 1
Fn
Get Time type = System Time, time = 2019-07-21 23:35:27 (UTC) True 1
Fn
Get Time type = System Time, time = 2019-07-21 23:35:28 (UTC) True 1
Fn
Get Time type = System Time, time = 2019-07-21 23:35:29 (UTC) True 1
Fn
Get Time type = System Time, time = 2019-07-21 23:35:30 (UTC) True 1
Fn
Get Time type = System Time, time = 2019-07-21 23:35:31 (UTC) True 1
Fn
Get Time type = System Time, time = 2019-07-21 23:35:32 (UTC) True 1
Fn
Get Time type = System Time, time = 2019-07-21 23:35:33 (UTC) True 1
Fn
Get Time type = System Time, time = 2019-07-21 23:35:34 (UTC) True 1
Fn
Get Time type = System Time, time = 2019-07-21 23:35:35 (UTC) True 1
Fn
Get Time type = System Time, time = 2019-07-21 23:35:36 (UTC) True 1
Fn
Get Time type = System Time, time = 1602-08-21 03:50:32 (UTC) True 1
Fn
Get Time type = System Time, time = 1602-08-21 03:50:33 (UTC) True 1
Fn
Get Time type = System Time, time = 1627-02-28 13:28:30 (UTC) True 1
Fn
Get Time type = System Time, time = 1627-02-28 13:28:31 (UTC) True 1
Fn
Get Time type = System Time, time = 1627-02-28 13:28:32 (UTC) True 1
Fn
Get Time type = System Time, time = 1627-02-28 13:28:34 (UTC) True 1
Fn
Register Hook type = WH_KEYBOARD_LL, hookproc_address = 0x4f1652 True 1
Fn
Get Info type = Operating System True 6
Fn
Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 3
Fn
Get Network Adapter Info - False 1
Fn
Get Network Adapter Info - True 1
Fn
Mutex (12)
»
Operation Additional Information Success Count Logfile
Create mutex_name = Global\.net clr networking True 10
Fn
Create mutex_name = Global\.net clr networking False 1
Fn
Open mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE True 1
Fn
Environment (7)
»
Operation Additional Information Success Count Logfile
Get Environment String name = appdata, result_out = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming True 4
Fn
Get Environment String name = APPDATA, result_out = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming True 2
Fn
Get Environment String name = PROGRAMFILES, result_out = C:\Program Files (x86) True 1
Fn
Network Behavior
DNS (2)
»
Operation Additional Information Success Count Logfile
Resolve Name host = www.vacanzaimmobiliare.it, address_out = 185.81.4.56 True 2
Fn
TCP Sessions (5)
»
Information Value
Total Data Sent 0 bytes
Total Data Received 0 bytes
Contacted Host Count 1
Contacted Hosts 185.81.4.56
TCP Session #1
»
Information Value
Remote Address 185.81.4.56
Remote Port 443
Local Address 192.168.0.240
Local Port 49160
Data Sent 0 bytes
Data Received 0 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 185.81.4.56, remote_port = 443 True 1
Fn
Send flags = NO_FLAG_SET, size = 129, size_out = 129 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5377, size_out = 2 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5375, size_out = 0 True 1
Fn
Close type = SOCK_STREAM True 1
Fn
TCP Session #2
»
Information Value
Remote Address 185.81.4.56
Remote Port 80
Local Address 192.168.0.240
Local Port 49159
Data Sent 0 bytes
Data Received 0 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 185.81.4.56, remote_port = 80 True 1
Fn
Send flags = NO_FLAG_SET, size = 286, size_out = 286 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 4096, size_out = 458 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
TCP Session #3
»
Information Value
Remote Address 185.81.4.56
Remote Port 443
Local Address 192.168.0.240
Local Port 49160
Data Sent 0 bytes
Data Received 0 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 185.81.4.56, remote_port = 443 True 1
Fn
Send flags = NO_FLAG_SET, size = 129, size_out = 129 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5377, size_out = 2 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5375, size_out = 0 True 1
Fn
Close type = SOCK_STREAM True 1
Fn
TCP Session #4
»
Information Value
Remote Address 185.81.4.56
Remote Port 443
Local Address 192.168.0.240
Local Port 49160
Data Sent 0 bytes
Data Received 0 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 185.81.4.56, remote_port = 443 True 1
Fn
Send flags = NO_FLAG_SET, size = 129, size_out = 129 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5377, size_out = 2 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5375, size_out = 0 True 1
Fn
Close type = SOCK_STREAM True 1
Fn
TCP Session #5
»
Information Value
Remote Address 185.81.4.56
Remote Port 443
Local Address 192.168.0.240
Local Port 49166
Data Sent 0 bytes
Data Received 0 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 185.81.4.56, remote_port = 443 True 1
Fn
Send flags = NO_FLAG_SET, size = 129, size_out = 129 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5, size_out = 5 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5377, size_out = 2 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 5375, size_out = 0 True 1
Fn
Close type = SOCK_STREAM True 1
Fn
HTTP Sessions (3)
»
Information Value
Total Data Sent 882 bytes
Total Data Received 1.34 KB
Contacted Host Count 1
Contacted Hosts 185.81.4.56
HTTP Session #1
»
Information Value
User Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)
Server Name www.vacanzaimmobiliare.it
Server Port 80
Username -
Password -
Data Sent 310 bytes
Data Received 458 bytes
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729) True 1
Fn
Open Connection protocol = http, server_name = www.vacanzaimmobiliare.it, server_port = 80 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = /testla/WebPanel/post.php True 1
Fn
Send HTTP Request headers = User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729), Content-Type: application/x-www-form-urlencoded, Host: www.vacanzaimmobiliare.it, Content-Length: 157, Expect: 100-continue, Connection: Keep-Alive, url = www.vacanzaimmobiliare.it/testla/WebPanel/post.php True 1
Fn
Data
Read Response size = 4096, size_out = 458 True 1
Fn
Data
Close Session - True 1
Fn
HTTP Session #2
»
Information Value
User Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)
Server Name www.vacanzaimmobiliare.it
Server Port 80
Username -
Password -
Data Sent 286 bytes
Data Received 458 bytes
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729) True 1
Fn
Open Connection protocol = http, server_name = www.vacanzaimmobiliare.it, server_port = 80 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = /testla/WebPanel/post.php True 1
Fn
Send HTTP Request headers = User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729), Content-Type: application/x-www-form-urlencoded, Host: www.vacanzaimmobiliare.it, Content-Length: 203, Expect: 100-continue, url = www.vacanzaimmobiliare.it/testla/WebPanel/post.php True 1
Fn
Data
Read Response size = 4096, size_out = 458 True 1
Fn
Data
Close Session - True 1
Fn
HTTP Session #3
»
Information Value
User Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)
Server Name www.vacanzaimmobiliare.it
Server Port 80
Username -
Password -
Data Sent 286 bytes
Data Received 458 bytes
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729) True 1
Fn
Open Connection protocol = http, server_name = www.vacanzaimmobiliare.it, server_port = 80 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = /testla/WebPanel/post.php True 1
Fn
Send HTTP Request headers = User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729), Content-Type: application/x-www-form-urlencoded, Host: www.vacanzaimmobiliare.it, Content-Length: 201, Expect: 100-continue, url = www.vacanzaimmobiliare.it/testla/WebPanel/post.php True 1
Fn
Data
Read Response size = 4096, size_out = 458 True 1
Fn
Data
Close Session - True 1
Fn
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image