75ca5c2c...7783 | Sequential Behavior
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Spyware

75ca5c2caf5216140f8e3e34160bdc64ce59d75fce1feeaa809ec18f01427783 (SHA256)

volumesound.exe

Windows Exe (x86-32)

Created at 2018-11-06 10:28:00

...
Grouped Sequential

Monitored Processes

Process Graph

Process Graph Legend
Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0xdd8 Analysis Target High (Elevated) volumesound.exe "C:\Users\CIiHmnxMn6Ps\Desktop\volumesound.exe" -
#2 0xf48 Child Process High (Elevated) explorer.exe C:\Windows\SysWOW64\explorer.exe #1

Behavior Information - Sequential View

Process #1: volumesound.exe
329 0
»
Information Value
ID #1
File Name c:\users\ciihmnxmn6ps\desktop\volumesound.exe
Command Line "C:\Users\CIiHmnxMn6Ps\Desktop\volumesound.exe"
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:00:46, Reason: Analysis Target
Unmonitor End Time: 00:01:30, Reason: Self Terminated
Monitor Duration 00:00:44
OS Process Information
»
Information Value
PID 0xdd8
Parent PID 0x508 (c:\windows\explorer.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DDC
0x DE0
0x DE4
0x E40
0x E44
0x E48
0x F20
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory rw True False False -
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory rw True False False -
private_0x0000000000020000 0x00020000 0x00023fff Private Memory rw True False False -
private_0x0000000000030000 0x00030000 0x00030fff Private Memory rw True False False -
pagefile_0x0000000000040000 0x00040000 0x00053fff Pagefile Backed Memory r True False False -
private_0x0000000000060000 0x00060000 0x0009ffff Private Memory rw True False False -
private_0x00000000000a0000 0x000a0000 0x0019ffff Private Memory rw True False False -
pagefile_0x00000000001a0000 0x001a0000 0x001a3fff Pagefile Backed Memory r True False False -
pagefile_0x00000000001b0000 0x001b0000 0x001b0fff Pagefile Backed Memory r True False False -
private_0x00000000001c0000 0x001c0000 0x001c1fff Private Memory rw True False False -
locale.nls 0x001d0000 0x0028dfff Memory Mapped File r False False False -
private_0x0000000000290000 0x00290000 0x00290fff Private Memory rw True False False -
private_0x00000000002a0000 0x002a0000 0x002affff Private Memory rw True False False -
private_0x00000000002b0000 0x002b0000 0x002effff Private Memory rw True False False -
private_0x00000000002f0000 0x002f0000 0x003effff Private Memory rw True False False -
msvfw32.dll.mui 0x003f0000 0x003f1fff Memory Mapped File r False False False -
volumesound.exe 0x00400000 0x0046ffff Memory Mapped File rwx True True True
...
private_0x0000000000470000 0x00470000 0x004affff Private Memory rw True False False -
private_0x00000000004b0000 0x004b0000 0x005affff Private Memory rw True False False -
private_0x00000000005b0000 0x005b0000 0x0060ffff Private Memory rw True False False -
pagefile_0x00000000005b0000 0x005b0000 0x005b0fff Pagefile Backed Memory r True False False -
pagefile_0x00000000005b0000 0x005b0000 0x005b3fff Pagefile Backed Memory r True False False -
private_0x00000000005c0000 0x005c0000 0x005c3fff Private Memory rw True False False -
private_0x00000000005d0000 0x005d0000 0x005d3fff Private Memory rw True False False -
private_0x00000000005e0000 0x005e0000 0x005e0fff Private Memory rw True False False -
pagefile_0x00000000005f0000 0x005f0000 0x005f1fff Pagefile Backed Memory r True False False -
private_0x0000000000600000 0x00600000 0x0060ffff Private Memory rw True False False -
windowsshell.manifest 0x00610000 0x00610fff Memory Mapped File r False False False -
private_0x0000000000610000 0x00610000 0x00610fff Private Memory rw True False False -
private_0x0000000000620000 0x00620000 0x0071ffff Private Memory rw True False False -
pagefile_0x0000000000720000 0x00720000 0x008a7fff Pagefile Backed Memory r True False False -
pagefile_0x00000000008b0000 0x008b0000 0x008b1fff Pagefile Backed Memory r True False False -
private_0x00000000008c0000 0x008c0000 0x008c0fff Private Memory rw True False False -
private_0x00000000008d0000 0x008d0000 0x0090ffff Private Memory rw True False False -
display.pnf 0x008d0000 0x008d1fff Memory Mapped File r False False False -
pagefile_0x00000000008d0000 0x008d0000 0x008e0fff Pagefile Backed Memory rw True False False -
private_0x00000000008f0000 0x008f0000 0x008f0fff Private Memory rw True False False -
private_0x0000000000910000 0x00910000 0x00913fff Private Memory rw True False False -
pagefile_0x0000000000920000 0x00920000 0x00920fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000930000 0x00930000 0x00930fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000940000 0x00940000 0x00940fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000940000 0x00940000 0x00942fff Pagefile Backed Memory r True False False -
private_0x0000000000950000 0x00950000 0x0095ffff Private Memory rw True False False -
pagefile_0x0000000000960000 0x00960000 0x00ae0fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000af0000 0x00af0000 0x01eeffff Pagefile Backed Memory r True False False -
private_0x0000000001ef0000 0x01ef0000 0x0202ffff Private Memory rw True False False -
pagefile_0x0000000001ef0000 0x01ef0000 0x01fa7fff Pagefile Backed Memory r True False False -
pagefile_0x0000000001fb0000 0x01fb0000 0x01fb0fff Pagefile Backed Memory r True False False -
private_0x0000000001fc0000 0x01fc0000 0x01ffffff Private Memory rw True False False -
private_0x0000000002000000 0x02000000 0x02008fff Private Memory rw True False False -
private_0x0000000002010000 0x02010000 0x02010fff Private Memory rw True False False -
private_0x0000000002020000 0x02020000 0x0202ffff Private Memory rw True False False -
private_0x0000000002030000 0x02030000 0x02053fff Private Memory rw True False False -
private_0x0000000002030000 0x02030000 0x02030fff Private Memory rw True False False -
pagefile_0x0000000002030000 0x02030000 0x02030fff Pagefile Backed Memory rw True False False -
private_0x0000000002040000 0x02040000 0x02046fff Private Memory rw True False False -
private_0x0000000002050000 0x02050000 0x02056fff Private Memory rwx True False False -
private_0x0000000002060000 0x02060000 0x02083fff Private Memory rw True False False -
private_0x0000000002090000 0x02090000 0x02098fff Private Memory rw True False False -
imageres.dll.mui 0x020a0000 0x020a0fff Memory Mapped File r False False False -
private_0x00000000020a0000 0x020a0000 0x020a0fff Private Memory rwx True False False -
private_0x00000000020a0000 0x020a0000 0x020dffff Private Memory rw True False False -
private_0x00000000020e0000 0x020e0000 0x020effff Private Memory rw True False False -
sortdefault.nls 0x020f0000 0x02426fff Memory Mapped File r False False False -
private_0x0000000002430000 0x02430000 0x0252ffff Private Memory rw True False False -
private_0x0000000002530000 0x02530000 0x0262ffff Private Memory rw True False False -
private_0x0000000002630000 0x02630000 0x0272ffff Private Memory rw True False False -
imageres.dll 0x02730000 0x05344fff Memory Mapped File r False False False -
private_0x0000000002730000 0x02730000 0x02777fff Private Memory rw True False False -
private_0x0000000002780000 0x02780000 0x0287ffff Private Memory rw True False False -
private_0x0000000002880000 0x02880000 0x02a7ffff Private Memory rw True False False -
private_0x0000000002a80000 0x02a80000 0x02e7ffff Private Memory rw True False False -
private_0x0000000002e80000 0x02e80000 0x0367ffff Private Memory rw True False False -
private_0x0000000003680000 0x03680000 0x0377ffff Private Memory rw True False False -
private_0x0000000003780000 0x03780000 0x0474ffff Private Memory rw True False False -
private_0x0000000004750000 0x04750000 0x047cffff Private Memory rw True False False -
private_0x00000000047d0000 0x047d0000 0x048cffff Private Memory rw True False False -
private_0x00000000048d0000 0x048d0000 0x049cffff Private Memory rw True False False -
wow64cpu.dll 0x64ae0000 0x64ae7fff Memory Mapped File rwx False False False -
wow64win.dll 0x64af0000 0x64b62fff Memory Mapped File rwx False False False -
wow64.dll 0x64b70000 0x64bbefff Memory Mapped File rwx False False False -
version.dll 0x73e10000 0x73e17fff Memory Mapped File rwx False False False -
winsta.dll 0x73e20000 0x73e63fff Memory Mapped File rwx False False False -
userenv.dll 0x73e70000 0x73e88fff Memory Mapped File rwx False False False -
rsaenh.dll 0x73e90000 0x73ebefff Memory Mapped File rwx False False False -
cryptsp.dll 0x73ec0000 0x73ed2fff Memory Mapped File rwx False False False -
urlmon.dll 0x73ee0000 0x7403ffff Memory Mapped File rwx False False False -
iertutil.dll 0x74040000 0x74300fff Memory Mapped File rwx False False False -
bcrypt.dll 0x74310000 0x7432afff Memory Mapped File rwx False False False -
windowscodecs.dll 0x74330000 0x744a0fff Memory Mapped File rwx False False False -
propsys.dll 0x744b0000 0x745f1fff Memory Mapped File rwx False False False -
comctl32.dll 0x74600000 0x74808fff Memory Mapped File rwx False False False -
winmm.dll 0x74810000 0x74833fff Memory Mapped File rwx False False False -
devobj.dll 0x74840000 0x74860fff Memory Mapped File rwx False False False -
winmmbase.dll 0x74870000 0x74892fff Memory Mapped File rwx False False False -
msacm32.dll 0x748a0000 0x748b7fff Memory Mapped File rwx False False False -
msvfw32.dll 0x748c0000 0x748e2fff Memory Mapped File rwx False False False -
avifil32.dll 0x748f0000 0x7490bfff Memory Mapped File rwx False False False -
mpr.dll 0x74910000 0x74926fff Memory Mapped File rwx False False False -
wininet.dll 0x74930000 0x74b53fff Memory Mapped File rwx False False False -
comctl32.dll 0x74b60000 0x74bf1fff Memory Mapped File rwx False False False -
dwmapi.dll 0x74c00000 0x74c1cfff Memory Mapped File rwx False False False -
uxtheme.dll 0x74c20000 0x74c94fff Memory Mapped File rwx False False False -
apphelp.dll 0x74ca0000 0x74d30fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x74d40000 0x74d98fff Memory Mapped File rwx False False False -
cryptbase.dll 0x74da0000 0x74da9fff Memory Mapped File rwx False False False -
sspicli.dll 0x74db0000 0x74dcdfff Memory Mapped File rwx False False False -
kernelbase.dll 0x74e70000 0x74fe5fff Memory Mapped File rwx False False False -
comdlg32.dll 0x75160000 0x7521dfff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x75220000 0x75255fff Memory Mapped File rwx False False False -
kernel32.dll 0x75260000 0x7534ffff Memory Mapped File rwx False False False -
powrprof.dll 0x753b0000 0x753f3fff Memory Mapped File rwx False False False -
imm32.dll 0x75400000 0x7542afff Memory Mapped File rwx False False False -
shell32.dll 0x75430000 0x767eefff Memory Mapped File rwx False False False -
profapi.dll 0x76810000 0x7681efff Memory Mapped File rwx False False False -
clbcatq.dll 0x76820000 0x768a1fff Memory Mapped File rwx False False False -
ole32.dll 0x768b0000 0x76999fff Memory Mapped File rwx False False False -
advapi32.dll 0x76a10000 0x76a8afff Memory Mapped File rwx False False False -
setupapi.dll 0x76a90000 0x76c34fff Memory Mapped File rwx False False False -
sechost.dll 0x76c40000 0x76c82fff Memory Mapped File rwx False False False -
oleaut32.dll 0x76c90000 0x76d21fff Memory Mapped File rwx False False False -
msasn1.dll 0x76d30000 0x76d3dfff Memory Mapped File rwx False False False -
wintrust.dll 0x76d40000 0x76d81fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76d90000 0x76e3bfff Memory Mapped File rwx False False False -
combase.dll 0x76e40000 0x76ff9fff Memory Mapped File rwx False False False -
gdi32.dll 0x77000000 0x7714cfff Memory Mapped File rwx False False False -
user32.dll 0x77150000 0x7728ffff Memory Mapped File rwx False False False -
shlwapi.dll 0x77290000 0x772d3fff Memory Mapped File rwx False False False -
shcore.dll 0x77340000 0x773ccfff Memory Mapped File rwx False False False -
psapi.dll 0x773d0000 0x773d5fff Memory Mapped File rwx False False False -
windows.storage.dll 0x773f0000 0x778ccfff Memory Mapped File rwx False False False -
msctf.dll 0x778d0000 0x779effff Memory Mapped File rwx False False False -
msvcrt.dll 0x779f0000 0x77aadfff Memory Mapped File rwx False False False -
crypt32.dll 0x77ab0000 0x77c24fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x77c30000 0x77c3bfff Memory Mapped File rwx False False False -
ntdll.dll 0x77ca0000 0x77e18fff Memory Mapped File rwx False False False -
private_0x000000007fea7000 0x7fea7000 0x7fea9fff Private Memory rw True False False -
private_0x000000007feaa000 0x7feaa000 0x7feacfff Private Memory rw True False False -
private_0x000000007fead000 0x7fead000 0x7feaffff Private Memory rw True False False -
pagefile_0x000000007feb0000 0x7feb0000 0x7ffaffff Pagefile Backed Memory r True False False -
pagefile_0x000000007ffb0000 0x7ffb0000 0x7ffd2fff Pagefile Backed Memory r True False False -
private_0x000000007ffd5000 0x7ffd5000 0x7ffd7fff Private Memory rw True False False -
private_0x000000007ffd8000 0x7ffd8000 0x7ffdafff Private Memory rw True False False -
private_0x000000007ffdb000 0x7ffdb000 0x7ffddfff Private Memory rw True False False -
private_0x000000007ffde000 0x7ffde000 0x7ffdefff Private Memory rw True False False -
private_0x000000007ffdf000 0x7ffdf000 0x7ffdffff Private Memory rw True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007fff0000 0x7fff0000 0x7ff8ee37ffff Private Memory r True False False -
ntdll.dll 0x7ff8ee380000 0x7ff8ee541fff Memory Mapped File rwx False False False -
private_0x00007ff8ee542000 0x7ff8ee542000 0x7ffffffeffff Private Memory r True False False -
Threads
Thread 0xddc
98 0
»
Category Operation Information Success Count Logfile
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsAlloc, address_out = 0x7527a330 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsGetValue, address_out = 0x75277580 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsSetValue, address_out = 0x75279910 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = FlsFree, address_out = 0x7527f400 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77cff190 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77cff190 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77cff190 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77cff190 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77cff190 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77cff190 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77cff190 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x77cfa200 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x77cfa200 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77cff190 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x77cfa200 True 1
Fn
File Open filename = STD_INPUT_HANDLE True 1
Fn
File Open filename = STD_OUTPUT_HANDLE True 1
Fn
File Open filename = STD_ERROR_HANDLE True 1
Fn
Environment Get Environment String - True 1
Fn
Data
Module Get Filename process_name = c:\users\ciihmnxmn6ps\desktop\volumesound.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\volumesound.exe, size = 260 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = IsProcessorFeaturePresent, address_out = 0x75279680 True 1
Fn
Mutex Open mutex_name = Lambda, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE False 1
Fn
Mutex Create mutex_name = Lambda True 1
Fn
Window Create window_name = Lambda HTML Editor, class_name = Lambda, wndproc_parameter = 0 True 1
Fn
Module Get Handle module_name = c:\users\ciihmnxmn6ps\desktop\volumesound.exe, base_address = 0x400000 True 1
Fn
Window Create class_name = ToolbarWindow32, wndproc_parameter = 0 True 1
Fn
Window Set Attribute class_name = ToolbarWindow32, index = 18446744073709551612, new_long = 4321264 True 1
Fn
Module Get Handle module_name = c:\users\ciihmnxmn6ps\desktop\volumesound.exe, base_address = 0x400000 True 1
Fn
Window Create class_name = SysTreeView32, wndproc_parameter = 0 True 1
Fn
Window Set Attribute class_name = SysTreeView32, index = 18446744073709551595, new_long = 33686728 False 1
Fn
Window Set Attribute class_name = SysTreeView32, index = 18446744073709551612, new_long = 4251648 True 1
Fn
Module Get Handle module_name = c:\users\ciihmnxmn6ps\desktop\volumesound.exe, base_address = 0x400000 True 1
Fn
Window Create class_name = STATIC, wndproc_parameter = 0 True 1
Fn
Window Set Attribute class_name = STATIC, index = 18446744073709551612, new_long = 4294976 True 1
Fn
Module Get Handle module_name = c:\users\ciihmnxmn6ps\desktop\volumesound.exe, base_address = 0x400000 True 1
Fn
Window Create class_name = SysTabControl32, wndproc_parameter = 0 True 1
Fn
Window Set Attribute class_name = SysTabControl32, index = 18446744073709551612, new_long = 4297168 True 1
Fn
Module Get Handle module_name = c:\users\ciihmnxmn6ps\desktop\volumesound.exe, base_address = 0x400000 True 2
Fn
Window Create class_name = LambdaEditor, wndproc_parameter = 0 True 1
Fn
Window Set Attribute class_name = LambdaEditor, index = 18446744073709551595, new_long = 33689992 False 1
Fn
Module Get Filename module_name = c:\users\ciihmnxmn6ps\desktop\volumesound.exe, process_name = c:\users\ciihmnxmn6ps\desktop\volumesound.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\volumesound.exe, size = 260 True 1
Fn
Ini Read file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini, section_name = Lambda, key_name = AllowMultipleInstance, default_value = false, data_out = false True 1
Fn
Ini Read file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini, section_name = Lambda, key_name = AutoConvertChars, default_value = true, data_out = true True 1
Fn
Ini Read file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini, section_name = Lambda, key_name = AutomaticlyUpdate, default_value = false, data_out = false True 1
Fn
Ini Read file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini, section_name = Lambda, key_name = OpenUnsupportedFiles, default_value = false, data_out = false True 1
Fn
Ini Read file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini, section_name = Lambda, key_name = UseDefaultInternetBrowser, default_value = true, data_out = true True 1
Fn
Ini Read file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini, section_name = Lambda, key_name = InternetBrowser, default_value = iexplore.exe, data_out = iexplore.exe True 1
Fn
Ini Read file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini, section_name = Lambda, key_name = HideExplorer, default_value = false, data_out = false True 1
Fn
Ini Read file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini, section_name = Lambda, key_name = HideSplitter, default_value = false, data_out = false True 1
Fn
Ini Read file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini, section_name = Lambda, key_name = Left, default_value = 0 True 1
Fn
Ini Read file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini, section_name = Lambda, key_name = Top, default_value = 0 True 1
Fn
Ini Read file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini, section_name = Lambda, key_name = Height, default_value = 400 True 1
Fn
Ini Read file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini, section_name = Lambda, key_name = Width, default_value = 800 True 1
Fn
Ini Read file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini, section_name = Project Explorer, key_name = OpenOnSingleClick, default_value = false, data_out = false True 1
Fn
Ini Read file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini, section_name = Project Explorer, key_name = RenameOnClick, default_value = false, data_out = false True 1
Fn
Ini Read file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini, section_name = Project Explorer, key_name = AutomaticlyHide, default_value = false, data_out = false True 1
Fn
Ini Read file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini, section_name = Project Explorer, key_name = AutomaticHideDelay, default_value = 2 True 1
Fn
Ini Read file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini, section_name = Project Explorer, key_name = Width, default_value = 200 True 1
Fn
Ini Read file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini, section_name = Editor, key_name = OverwriteEmptyDocuments, default_value = true, data_out = true True 1
Fn
Ini Read file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini, section_name = Editor, key_name = OverwriteSelectedText, default_value = true, data_out = true True 1
Fn
Ini Read file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini, section_name = Editor, key_name = OverwriteTypingMode, default_value = false, data_out = false True 1
Fn
Ini Read file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini, section_name = Editor, key_name = IndentAutomaticly, default_value = true, data_out = true True 1
Fn
Ini Read file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini, section_name = Editor, key_name = GroupUndos, default_value = false, data_out = false True 1
Fn
Ini Read file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini, section_name = Editor, key_name = SelectLineOnDoubleClick, default_value = false, data_out = false True 1
Fn
Ini Read file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini, section_name = Editor, key_name = SpaceSeparatedWords, default_value = false, data_out = false True 1
Fn
Ini Read file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini, section_name = Editor, key_name = TabIndentsLines, default_value = true, data_out = true True 1
Fn
Ini Read file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini, section_name = Editor, key_name = TabSize, default_value = 4 True 1
Fn
Ini Read file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini, section_name = Editor, key_name = UseDefaultScrollLineCount, default_value = true, data_out = true True 1
Fn
Ini Read file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini, section_name = Editor, key_name = ScrollLineCount, default_value = 3 True 1
Fn
Ini Read file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini, section_name = Editor, key_name = GutterVisible, default_value = true, data_out = true True 1
Fn
Ini Read file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini, section_name = Editor, key_name = MarginVisible, default_value = true, data_out = true True 1
Fn
Ini Read file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini, section_name = Editor, key_name = LineNumbersVisible, default_value = true, data_out = true True 1
Fn
Ini Read file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini, section_name = Editor, key_name = AutomaticlyResizeGutter, default_value = true, data_out = true True 1
Fn
Ini Read file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini, section_name = Editor, key_name = GutterSize, default_value = 22 True 1
Fn
Ini Read file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini, section_name = Editor, key_name = MarginSize, default_value = 80 True 1
Fn
Ini Read file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini, section_name = Editor, key_name = EditorFontName, default_value = Courier New, data_out = Courier New True 1
Fn
Ini Read file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini, section_name = Editor, key_name = EditorFontSize, default_value = 10 True 1
Fn
Ini Read file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini, section_name = Editor, key_name = GutterFontName, default_value = Courier New, data_out = Courier New True 1
Fn
Ini Read file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\settings.ini, section_name = Editor, key_name = GutterFontSize, default_value = 10 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = EncodePointer, address_out = 0x77cff190 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x77cfa200 True 1
Fn
Thread 0xe40
84 0
»
Category Operation Information Success Count Logfile
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x77cfa200 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\kernel32.dll, base_address = 0x75260000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\kernel32.dll, function = DecodePointer, address_out = 0x77cfa200 True 1
Fn
File Read filename = STD_ERROR_HANDLE, size = 0 False 1
Fn
System Get Cursor x_out = 1388, y_out = 546 True 88
Fn
File Create desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ False 1
Fn
File Write size = 0 False 1
Fn
File Get Info - True 1
Fn
File Create filename = , file_attributes = _O_WRONLY False 1
Fn
File Write filename = System Paging File, size = 0 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77ca0000 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76a10000 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\ntdll.dll, base_address = 0x77ca0000 True 1
Fn
Module Get Handle module_name = c:\windows\syswow64\advapi32.dll, base_address = 0x76a10000 True 1
Fn
Module Get Handle module_name = c:\users\ciihmnxmn6ps\desktop\volumesound.exe, base_address = 0x400000 True 1
Fn
System Get Time type = System Time, time = 2018-11-06 10:30:03 (UTC) True 1
Fn
Module Load module_name = NTDLL, base_address = 0x77ca0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlReAllocateHeap, address_out = 0x77cdbae0 True 1
Fn
Module Load module_name = NTDLL, base_address = 0x77ca0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlAllocateHeap, address_out = 0x77cdda90 True 1
Fn
Module Load module_name = NTDLL, base_address = 0x77ca0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlSizeHeap, address_out = 0x77cf4f40 True 1
Fn
Module Load module_name = NTDLL, base_address = 0x77ca0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlExitUserThread, address_out = 0x77d02570 True 1
Fn
Module Load module_name = NTDLL, base_address = 0x77ca0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlInitializeCriticalSection, address_out = 0x77cf95f0 True 1
Fn
Module Load module_name = NTDLL, base_address = 0x77ca0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlEnterCriticalSection, address_out = 0x77ce5e80 True 1
Fn
Module Load module_name = NTDLL, base_address = 0x77ca0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlLeaveCriticalSection, address_out = 0x77ce5e00 True 1
Fn
Module Load module_name = NTDLL, base_address = 0x77ca0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlDeleteCriticalSection, address_out = 0x77cf9920 True 1
Fn
Module Load module_name = NTDLL, base_address = 0x77ca0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlAddVectoredExceptionHandler, address_out = 0x77cff090 True 1
Fn
Module Load module_name = NTDLL, base_address = 0x77ca0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlRemoveVectoredExceptionHandler, address_out = 0x77cc8870 True 1
Fn
Module Load module_name = ntdll, base_address = 0x77ca0000 True 1
Fn
Module Load module_name = user32, base_address = 0x77150000 True 1
Fn
Module Load module_name = Psapi, base_address = 0x773d0000 True 1
Fn
Module Load module_name = winsta.dll, base_address = 0x73e20000 True 1
Fn
Module Load module_name = gdi32, base_address = 0x77000000 True 1
Fn
Module Load module_name = advapi32, base_address = 0x76a10000 True 1
Fn
Module Load module_name = shlwapi, base_address = 0x77290000 True 1
Fn
Module Load module_name = shell32, base_address = 0x75430000 True 1
Fn
Module Load module_name = ole32, base_address = 0x768b0000 True 1
Fn
Module Load module_name = api-ms-win-core-com-l1-1-0, base_address = 0x76e40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\combase.dll, function = CoCreateInstance, address_out = 0x76ee8200 True 1
Fn
Module Load module_name = api-ms-win-core-com-l1-1-0, base_address = 0x76e40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\combase.dll, function = CoUninitialize, address_out = 0x76eadca0 True 1
Fn
Module Load module_name = oleaut32, base_address = 0x76c90000 True 1
Fn
Module Load module_name = version, base_address = 0x73e10000 True 1
Fn
Module Load module_name = crypt32, base_address = 0x77ab0000 True 1
Fn
Thread 0xf20
88 0
»
Category Operation Information Success Count Logfile
System Get Computer Name result_out = LHNIWSJ True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = InstallDate, data = 65 True 1
Fn
File Create filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F57916AF, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ False 1
Fn
File Create filename = C:\Users\CIIHMN~1\AppData\Local\Temp\F57916AF, desired_access = GENERIC_READ False 1
Fn
System Get Computer Name result_out = LHNIWSJ True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = InstallDate, data = 65 True 1
Fn
File Create filename = C:\Users\CIIHMN~1\AppData\Local\Temp\FA6AEE10, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ False 1
Fn
File Create filename = C:\Users\CIIHMN~1\AppData\Local\Temp\FA6AEE10, desired_access = GENERIC_READ False 1
Fn
Module Get Handle module_name = sbiedll.dll, base_address = 0x0 False 1
Fn
System Get Computer Name result_out = LHNIWSJ True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = InstallDate, data = 65 True 1
Fn
File Create filename = C:\Users\CIIHMN~1\AppData\Local\Temp\FA6AEE10, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ False 1
Fn
File Create filename = C:\Users\CIIHMN~1\AppData\Local\Temp\FA6AEE10, desired_access = GENERIC_READ False 1
Fn
System Get Time type = Ticks, time = 143281 True 1
Fn
System Sleep duration = 500 milliseconds (0.500 seconds) True 1
Fn
System Get Time type = Ticks, time = 143796 True 1
Fn
System Get Computer Name result_out = LHNIWSJ True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = InstallDate, data = 65 True 1
Fn
File Create filename = C:\Users\CIIHMN~1\AppData\Local\Temp\FA6AEE10, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ False 1
Fn
File Create filename = C:\Users\CIIHMN~1\AppData\Local\Temp\FA6AEE10, desired_access = GENERIC_READ False 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\HARDWARE\Description\System True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\HARDWARE\Description\System, value_name = VideoBiosVersion, data = 0 False 1
Fn
System Get Computer Name result_out = LHNIWSJ True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = InstallDate, data = 65 True 1
Fn
System Get Info type = Operating System True 1
Fn
System Get Info type = Operating System True 1
Fn
System Get Computer Name result_out = LHNIWSJ True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = InstallDate, data = 65 True 1
Fn
File Create filename = C:\Users\CIIHMN~1\AppData\Local\Temp\FA6AEE10, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ False 1
Fn
File Create filename = C:\Users\CIIHMN~1\AppData\Local\Temp\FA6AEE10, desired_access = GENERIC_READ False 1
Fn
Module Load module_name = setupapi, base_address = 0x76a90000 True 1
Fn
Module Get Filename module_name = sbiedll.dll, process_name = c:\users\ciihmnxmn6ps\desktop\volumesound.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\volumesound.exe, size = 501 True 1
Fn
Mutex Open mutex_name = Global\UzFCA0D558, desired_access = SYNCHRONIZE False 1
Fn
System Get Computer Name result_out = LHNIWSJ True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = InstallDate, data = 65 True 1
Fn
File Create filename = C:\Users\CIIHMN~1\AppData\Local\Temp\FA6AEE10, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ False 1
Fn
File Create filename = C:\Users\CIIHMN~1\AppData\Local\Temp\FA6AEE10, desired_access = GENERIC_READ False 1
Fn
Debug Check for Presence c:\users\ciihmnxmn6ps\desktop\volumesound.exe True 1
Fn
Module Get Filename module_name = sbiedll.dll, process_name = c:\users\ciihmnxmn6ps\desktop\volumesound.exe, file_name_orig = C:\Users\CIiHmnxMn6Ps\Desktop\volumesound.exe, size = 259 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\volumesound.exe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\volumesound.exe, size = 64, size_out = 64 True 1
Fn
Data
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\volumesound.exe, size = 20, size_out = 20 True 1
Fn
Data
System Get Cursor x_out = 28, y_out = 227 True 1
Fn
System Get Computer Name result_out = LHNIWSJ True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = InstallDate, data = 65 True 1
Fn
File Create filename = C:\Users\CIIHMN~1\AppData\Local\Temp\FA6AEE10, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ False 1
Fn
File Create filename = C:\Users\CIIHMN~1\AppData\Local\Temp\FA6AEE10, desired_access = GENERIC_READ False 1
Fn
System Sleep duration = 500 milliseconds (0.500 seconds) True 10
Fn
System Get Info type = Windows Directory, result_out = C:\Windows True 1
Fn
Module Get Handle module_name = c:\users\ciihmnxmn6ps\desktop\volumesound.exe, base_address = 0x400000 True 1
Fn
Process Create process_name = C:\Windows\SysWOW64\explorer.exe, os_pid = 0xf48, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE True 1
Fn
Module Create Mapping filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 65592 True 1
Fn
Module Map process_name = c:\users\ciihmnxmn6ps\desktop\volumesound.exe, desired_access = FILE_MAP_ALL_ACCESS True 1
Fn
Process Get Info type = PROCESS_BASIC_INFORMATION True 1
Fn
Memory Read process_name = C:\Windows\SysWOW64\explorer.exe, address = 0x7f587008, size = 4 True 1
Fn
Data
Memory Read process_name = C:\Windows\SysWOW64\explorer.exe, address = 0xaa0000, size = 4096 True 1
Fn
Data
Memory Read process_name = C:\Windows\SysWOW64\explorer.exe, address = 0xaa00e8, size = 4096 True 1
Fn
Data
Memory Protect process_name = C:\Windows\SysWOW64\explorer.exe, address = 0xb3dea0, protection = PAGE_EXECUTE_READWRITE, size = 684 True 1
Fn
Memory Write process_name = C:\Windows\SysWOW64\explorer.exe, address = 0xb3dea0, size = 684 True 1
Fn
Data
Thread Resume process_name = c:\users\ciihmnxmn6ps\desktop\volumesound.exe, os_tid = 0xf20 True 1
Fn
Process #2: explorer.exe
335 0
»
Information Value
ID #2
File Name c:\windows\syswow64\explorer.exe
Command Line C:\Windows\SysWOW64\explorer.exe
Initial Working Directory C:\Users\CIiHmnxMn6Ps\Desktop\
Monitor Start Time: 00:01:23, Reason: Child Process
Unmonitor End Time: 00:04:47, Reason: Terminated by Timeout
Monitor Duration 00:03:24
OS Process Information
»
Information Value
PID 0xf48
Parent PID 0xdd8 (c:\users\ciihmnxmn6ps\desktop\volumesound.exe)
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username LHNIWSJ\CIiHmnxMn6Ps
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F4C
0x F60
0x F64
0x F68
0x F6C
0x 884
0x 300
Region
»
Name Start VA End VA Type Permissions Monitored Dumped YARA Actions
private_0x0000000000420000 0x00420000 0x0043ffff Private Memory rw True False False -
pagefile_0x0000000000420000 0x00420000 0x0042ffff Pagefile Backed Memory rw True False False -
private_0x0000000000430000 0x00430000 0x00433fff Private Memory rw True False False -
private_0x0000000000440000 0x00440000 0x00440fff Private Memory rw True False False -
explorer.exe.mui 0x00440000 0x00447fff Memory Mapped File r False False False -
pagefile_0x0000000000450000 0x00450000 0x00463fff Pagefile Backed Memory r True False False -
private_0x0000000000470000 0x00470000 0x004affff Private Memory rw True False False -
private_0x00000000004b0000 0x004b0000 0x004effff Private Memory rw True False False -
pagefile_0x00000000004f0000 0x004f0000 0x004f3fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000500000 0x00500000 0x00502fff Pagefile Backed Memory r True False False -
private_0x0000000000510000 0x00510000 0x00511fff Private Memory rw True False False -
locale.nls 0x00520000 0x005ddfff Memory Mapped File r False False False -
private_0x00000000005e0000 0x005e0000 0x0061ffff Private Memory rw True False False -
private_0x0000000000620000 0x00620000 0x00620fff Private Memory rw True False False -
private_0x0000000000630000 0x00630000 0x00630fff Private Memory rw True False False -
private_0x0000000000640000 0x00640000 0x0064ffff Private Memory rw True False False -
private_0x0000000000650000 0x00650000 0x00653fff Private Memory rw True False False -
display.pnf 0x00660000 0x00661fff Memory Mapped File r False False False -
pagefile_0x0000000000660000 0x00660000 0x00660fff Pagefile Backed Memory rw True False False -
pagefile_0x0000000000670000 0x00670000 0x00670fff Pagefile Backed Memory r True False False -
pagefile_0x0000000000670000 0x00670000 0x00673fff Pagefile Backed Memory r True False False -
private_0x0000000000680000 0x00680000 0x0077ffff Private Memory rw True False False -
private_0x0000000000780000 0x00780000 0x007bffff Private Memory rw True False False -
private_0x00000000007c0000 0x007c0000 0x007fffff Private Memory rw True False False -
private_0x0000000000800000 0x00800000 0x0083ffff Private Memory rw True False False -
private_0x0000000000840000 0x00840000 0x0087ffff Private Memory rw True False False -
private_0x0000000000880000 0x00880000 0x008bffff Private Memory rw True False False -
private_0x00000000008c0000 0x008c0000 0x008d0fff Private Memory rwx True False False -
private_0x00000000008e0000 0x008e0000 0x00949fff Private Memory rw True False False -
private_0x0000000000970000 0x00970000 0x0097ffff Private Memory rw True False False -
private_0x0000000000980000 0x00980000 0x009bffff Private Memory rw True False False -
private_0x00000000009c0000 0x009c0000 0x009fffff Private Memory rw True False False -
private_0x0000000000a40000 0x00a40000 0x00a4ffff Private Memory rw True False False -
explorer.exe 0x00aa0000 0x00e76fff Memory Mapped File rwx False False False -
pagefile_0x0000000000e80000 0x00e80000 0x04e7ffff Pagefile Backed Memory - True False False -
pagefile_0x0000000004e80000 0x04e80000 0x05007fff Pagefile Backed Memory r True False False -
pagefile_0x0000000005010000 0x05010000 0x05190fff Pagefile Backed Memory r True False False -
pagefile_0x00000000051a0000 0x051a0000 0x0659ffff Pagefile Backed Memory r True False False -
sortdefault.nls 0x065a0000 0x068d6fff Memory Mapped File r False False False -
pagefile_0x00000000068e0000 0x068e0000 0x06997fff Pagefile Backed Memory r True False False -
wow64cpu.dll 0x64ae0000 0x64ae7fff Memory Mapped File rwx False False False -
wow64win.dll 0x64af0000 0x64b62fff Memory Mapped File rwx False False False -
wow64.dll 0x64b70000 0x64bbefff Memory Mapped File rwx False False False -
wsock32.dll 0x739d0000 0x739d7fff Memory Mapped File rwx False False False -
dxgi.dll 0x739e0000 0x73a5dfff Memory Mapped File rwx False False False -
sppc.dll 0x73a60000 0x73a7cfff Memory Mapped File rwx False False False -
slc.dll 0x73a80000 0x73aa0fff Memory Mapped File rwx False False False -
dcomp.dll 0x73ab0000 0x73b4bfff Memory Mapped File rwx False False False -
d3d11.dll 0x73b50000 0x73d62fff Memory Mapped File rwx False False False -
twinapi.dll 0x73d70000 0x73e08fff Memory Mapped File rwx False False False -
version.dll 0x73e10000 0x73e17fff Memory Mapped File rwx False False False -
winsta.dll 0x73e20000 0x73e63fff Memory Mapped File rwx False False False -
userenv.dll 0x73e70000 0x73e88fff Memory Mapped File rwx False False False -
propsys.dll 0x744b0000 0x745f1fff Memory Mapped File rwx False False False -
devobj.dll 0x74840000 0x74860fff Memory Mapped File rwx False False False -
wininet.dll 0x74930000 0x74b53fff Memory Mapped File rwx False False False -
dwmapi.dll 0x74c00000 0x74c1cfff Memory Mapped File rwx False False False -
uxtheme.dll 0x74c20000 0x74c94fff Memory Mapped File rwx False False False -
bcryptprimitives.dll 0x74d40000 0x74d98fff Memory Mapped File rwx False False False -
cryptbase.dll 0x74da0000 0x74da9fff Memory Mapped File rwx False False False -
sspicli.dll 0x74db0000 0x74dcdfff Memory Mapped File rwx False False False -
kernelbase.dll 0x74e70000 0x74fe5fff Memory Mapped File rwx False False False -
cfgmgr32.dll 0x75220000 0x75255fff Memory Mapped File rwx False False False -
kernel32.dll 0x75260000 0x7534ffff Memory Mapped File rwx False False False -
powrprof.dll 0x753b0000 0x753f3fff Memory Mapped File rwx False False False -
imm32.dll 0x75400000 0x7542afff Memory Mapped File rwx False False False -
shell32.dll 0x75430000 0x767eefff Memory Mapped File rwx False False False -
profapi.dll 0x76810000 0x7681efff Memory Mapped File rwx False False False -
ole32.dll 0x768b0000 0x76999fff Memory Mapped File rwx False False False -
ws2_32.dll 0x769b0000 0x76a0bfff Memory Mapped File rwx False False False -
advapi32.dll 0x76a10000 0x76a8afff Memory Mapped File rwx False False False -
setupapi.dll 0x76a90000 0x76c34fff Memory Mapped File rwx False False False -
sechost.dll 0x76c40000 0x76c82fff Memory Mapped File rwx False False False -
oleaut32.dll 0x76c90000 0x76d21fff Memory Mapped File rwx False False False -
msasn1.dll 0x76d30000 0x76d3dfff Memory Mapped File rwx False False False -
wintrust.dll 0x76d40000 0x76d81fff Memory Mapped File rwx False False False -
rpcrt4.dll 0x76d90000 0x76e3bfff Memory Mapped File rwx False False False -
combase.dll 0x76e40000 0x76ff9fff Memory Mapped File rwx False False False -
gdi32.dll 0x77000000 0x7714cfff Memory Mapped File rwx False False False -
user32.dll 0x77150000 0x7728ffff Memory Mapped File rwx False False False -
shlwapi.dll 0x77290000 0x772d3fff Memory Mapped File rwx False False False -
shcore.dll 0x77340000 0x773ccfff Memory Mapped File rwx False False False -
psapi.dll 0x773d0000 0x773d5fff Memory Mapped File rwx False False False -
nsi.dll 0x773e0000 0x773e6fff Memory Mapped File rwx False False False -
windows.storage.dll 0x773f0000 0x778ccfff Memory Mapped File rwx False False False -
msctf.dll 0x778d0000 0x779effff Memory Mapped File rwx False False False -
msvcrt.dll 0x779f0000 0x77aadfff Memory Mapped File rwx False False False -
crypt32.dll 0x77ab0000 0x77c24fff Memory Mapped File rwx False False False -
kernel.appcore.dll 0x77c30000 0x77c3bfff Memory Mapped File rwx False False False -
ntdll.dll 0x77ca0000 0x77e18fff Memory Mapped File rwx False False False -
private_0x000000007f457000 0x7f457000 0x7f459fff Private Memory rw True False False -
private_0x000000007f45a000 0x7f45a000 0x7f45cfff Private Memory rw True False False -
private_0x000000007f45d000 0x7f45d000 0x7f45ffff Private Memory rw True False False -
pagefile_0x000000007f460000 0x7f460000 0x7f55ffff Pagefile Backed Memory r True False False -
pagefile_0x000000007f560000 0x7f560000 0x7f582fff Pagefile Backed Memory r True False False -
private_0x000000007f584000 0x7f584000 0x7f586fff Private Memory rw True False False -
private_0x000000007f587000 0x7f587000 0x7f587fff Private Memory rw True False False -
private_0x000000007f58a000 0x7f58a000 0x7f58cfff Private Memory rw True False False -
private_0x000000007f58d000 0x7f58d000 0x7f58dfff Private Memory rw True False False -
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory r True False False -
private_0x000000007fff0000 0x7fff0000 0x7df8ee37ffff Private Memory r True False False -
pagefile_0x00007df8ee380000 0x7df8ee380000 0x7ff8ee37ffff Pagefile Backed Memory - True False False -
ntdll.dll 0x7ff8ee380000 0x7ff8ee541fff Memory Mapped File rwx False False False -
private_0x00007ff8ee542000 0x7ff8ee542000 0x7ffffffeffff Private Memory r True False False -
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #1: c:\users\ciihmnxmn6ps\desktop\volumesound.exe 0xf20 address = 0xb3dea0, size = 684 True 1
Fn
Data
Threads
Thread 0xf4c
167 0
»
Category Operation Information Success Count Logfile
Module Load module_name = NTDLL, base_address = 0x77ca0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlReAllocateHeap, address_out = 0x77cdbae0 True 1
Fn
Module Load module_name = NTDLL, base_address = 0x77ca0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlAllocateHeap, address_out = 0x77cdda90 True 1
Fn
Module Load module_name = NTDLL, base_address = 0x77ca0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlSizeHeap, address_out = 0x77cf4f40 True 1
Fn
Module Load module_name = NTDLL, base_address = 0x77ca0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlExitUserThread, address_out = 0x77d02570 True 1
Fn
Module Load module_name = NTDLL, base_address = 0x77ca0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlInitializeCriticalSection, address_out = 0x77cf95f0 True 1
Fn
Module Load module_name = NTDLL, base_address = 0x77ca0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlEnterCriticalSection, address_out = 0x77ce5e80 True 1
Fn
Module Load module_name = NTDLL, base_address = 0x77ca0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlLeaveCriticalSection, address_out = 0x77ce5e00 True 1
Fn
Module Load module_name = NTDLL, base_address = 0x77ca0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlDeleteCriticalSection, address_out = 0x77cf9920 True 1
Fn
Module Load module_name = NTDLL, base_address = 0x77ca0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlAddVectoredExceptionHandler, address_out = 0x77cff090 True 1
Fn
Module Load module_name = NTDLL, base_address = 0x77ca0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlRemoveVectoredExceptionHandler, address_out = 0x77cc8870 True 1
Fn
Module Load module_name = ntdll, base_address = 0x77ca0000 True 1
Fn
Module Load module_name = user32, base_address = 0x77150000 True 1
Fn
Module Load module_name = Psapi, base_address = 0x773d0000 True 1
Fn
Module Load module_name = winsta.dll, base_address = 0x73e20000 True 1
Fn
Module Load module_name = gdi32, base_address = 0x77000000 True 1
Fn
Module Load module_name = advapi32, base_address = 0x76a10000 True 1
Fn
Module Load module_name = shlwapi, base_address = 0x77290000 True 1
Fn
Module Load module_name = shell32, base_address = 0x75430000 True 1
Fn
Module Load module_name = ole32, base_address = 0x768b0000 True 1
Fn
Module Load module_name = api-ms-win-core-com-l1-1-0, base_address = 0x76e40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\combase.dll, function = CoCreateInstance, address_out = 0x76ee8200 True 1
Fn
Module Load module_name = api-ms-win-core-com-l1-1-0, base_address = 0x76e40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\combase.dll, function = CoUninitialize, address_out = 0x76eadca0 True 1
Fn
Module Load module_name = oleaut32, base_address = 0x76c90000 True 1
Fn
Module Load module_name = version, base_address = 0x73e10000 True 1
Fn
Module Load module_name = crypt32, base_address = 0x77ab0000 True 1
Fn
Module Load module_name = NTDLL, base_address = 0x77ca0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlReAllocateHeap, address_out = 0x77cdbae0 True 1
Fn
Module Load module_name = NTDLL, base_address = 0x77ca0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlAllocateHeap, address_out = 0x77cdda90 True 1
Fn
Module Load module_name = NTDLL, base_address = 0x77ca0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlSizeHeap, address_out = 0x77cf4f40 True 1
Fn
Module Load module_name = NTDLL, base_address = 0x77ca0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlExitUserThread, address_out = 0x77d02570 True 1
Fn
Module Load module_name = NTDLL, base_address = 0x77ca0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlInitializeCriticalSection, address_out = 0x77cf95f0 True 1
Fn
Module Load module_name = NTDLL, base_address = 0x77ca0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlEnterCriticalSection, address_out = 0x77ce5e80 True 1
Fn
Module Load module_name = NTDLL, base_address = 0x77ca0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlLeaveCriticalSection, address_out = 0x77ce5e00 True 1
Fn
Module Load module_name = NTDLL, base_address = 0x77ca0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlDeleteCriticalSection, address_out = 0x77cf9920 True 1
Fn
Module Load module_name = NTDLL, base_address = 0x77ca0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlAddVectoredExceptionHandler, address_out = 0x77cff090 True 1
Fn
Module Load module_name = NTDLL, base_address = 0x77ca0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ntdll.dll, function = RtlRemoveVectoredExceptionHandler, address_out = 0x77cc8870 True 1
Fn
Module Load module_name = ntdll, base_address = 0x77ca0000 True 1
Fn
Module Load module_name = user32, base_address = 0x77150000 True 1
Fn
Module Load module_name = Psapi, base_address = 0x773d0000 True 1
Fn
Module Load module_name = winsta.dll, base_address = 0x73e20000 True 1
Fn
Module Load module_name = gdi32, base_address = 0x77000000 True 1
Fn
Module Load module_name = advapi32, base_address = 0x76a10000 True 1
Fn
Module Load module_name = shlwapi, base_address = 0x77290000 True 1
Fn
Module Load module_name = shell32, base_address = 0x75430000 True 1
Fn
Module Load module_name = ole32, base_address = 0x768b0000 True 1
Fn
Module Load module_name = api-ms-win-core-com-l1-1-0, base_address = 0x76e40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\combase.dll, function = CoCreateInstance, address_out = 0x76ee8200 True 1
Fn
Module Load module_name = api-ms-win-core-com-l1-1-0, base_address = 0x76e40000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\combase.dll, function = CoUninitialize, address_out = 0x76eadca0 True 1
Fn
Module Load module_name = oleaut32, base_address = 0x76c90000 True 1
Fn
Module Load module_name = version, base_address = 0x73e10000 True 1
Fn
Module Load module_name = crypt32, base_address = 0x77ab0000 True 1
Fn
Module Load module_name = wsock32, base_address = 0x739d0000 True 1
Fn
Module Load module_name = ws2_32, base_address = 0x769b0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ws2_32.dll, function = getpeername, address_out = 0x769c12c0 True 1
Fn
Module Load module_name = ws2_32, base_address = 0x769b0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ws2_32.dll, function = inet_ntoa, address_out = 0x769c4b00 True 1
Fn
Module Load module_name = ws2_32, base_address = 0x769b0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ws2_32.dll, function = ntohs, address_out = 0x769c3650 True 1
Fn
Module Load module_name = ws2_32, base_address = 0x769b0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ws2_32.dll, function = send, address_out = 0x769bce20 True 1
Fn
Module Load module_name = ws2_32, base_address = 0x769b0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ws2_32.dll, function = connect, address_out = 0x769c33a0 True 1
Fn
Module Load module_name = ws2_32, base_address = 0x769b0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ws2_32.dll, function = select, address_out = 0x769c48e0 True 1
Fn
Module Load module_name = ws2_32, base_address = 0x769b0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ws2_32.dll, function = ioctlsocket, address_out = 0x769bd860 True 1
Fn
Module Load module_name = ws2_32, base_address = 0x769b0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ws2_32.dll, function = socket, address_out = 0x769b9780 True 1
Fn
Module Load module_name = ws2_32, base_address = 0x769b0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ws2_32.dll, function = closesocket, address_out = 0x769b9ba0 True 1
Fn
Module Load module_name = ws2_32, base_address = 0x769b0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ws2_32.dll, function = WSAStartup, address_out = 0x769c2420 True 1
Fn
Module Load module_name = ws2_32, base_address = 0x769b0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ws2_32.dll, function = bind, address_out = 0x769be0f0 True 1
Fn
Module Load module_name = ws2_32, base_address = 0x769b0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ws2_32.dll, function = listen, address_out = 0x769c3f40 True 1
Fn
Module Load module_name = ws2_32, base_address = 0x769b0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ws2_32.dll, function = accept, address_out = 0x769c4030 True 1
Fn
Module Load module_name = ws2_32, base_address = 0x769b0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ws2_32.dll, function = __WSAFDIsSet, address_out = 0x769c2f20 True 1
Fn
Module Load module_name = ws2_32, base_address = 0x769b0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ws2_32.dll, function = htons, address_out = 0x769c3650 True 1
Fn
Module Load module_name = ws2_32, base_address = 0x769b0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ws2_32.dll, function = WSACleanup, address_out = 0x769bda00 True 1
Fn
Module Load module_name = ws2_32, base_address = 0x769b0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ws2_32.dll, function = gethostname, address_out = 0x769dc920 True 1
Fn
Module Load module_name = ws2_32, base_address = 0x769b0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ws2_32.dll, function = gethostbyname, address_out = 0x769dc790 True 1
Fn
Module Load module_name = ws2_32, base_address = 0x769b0000 True 1
Fn
Module Get Address module_name = c:\windows\syswow64\ws2_32.dll, function = inet_addr, address_out = 0x769c2e90 True 1
Fn
Module Load module_name = wininet, base_address = 0x74930000 True 1
Fn
System Get Info type = Operating System True 1
Fn
System Get Info type = Operating System True 1
Fn
Mutex Create mutex_name = Global\UzFCA0D558 True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = ProductID, data = 48 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = InstallDate, data = 65 True 1
Fn
Module Get Filename process_name = c:\windows\syswow64\explorer.exe, file_name_orig = C:\Windows\SysWOW64\explorer.exe, size = 1025 True 1
Fn
File Create filename = C:\Users\CIiHmnxMn6Ps\Desktop\volumesound.exe, desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
File Get Info filename = C:\Users\CIiHmnxMn6Ps\Desktop\volumesound.exe, type = size True 1
Fn
File Read filename = C:\Users\CIiHmnxMn6Ps\Desktop\volumesound.exe, size = 432128, size_out = 432128 True 1
Fn
Data
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\137FBF1F\ False 1
Fn
Module Load module_name = setupapi, base_address = 0x76a90000 True 2
Fn
System Get Computer Name result_out = LHNIWSJ True 1
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = ProductID, data = 48 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = ProductName, data = 87 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = CurrentVersion, data = 54 True 1
Fn
Registry Read Value reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion, value_name = InstallDate, data = 65 True 1
Fn
System Get Time type = System Time, time = 2018-11-06 10:30:16 (UTC) True 2
Fn
Registry Open Key reg_name = HKEY_LOCAL_MACHINE\SOFTWARE\137FBF1F\ False 1
Fn
System Sleep duration = 1000 milliseconds (1.000 seconds) True 196
Fn
Thread 0xf6c
1 0
»
Category Operation Information Success Count Logfile
Window Create class_name = B6BD1409FA131780, wndproc_parameter = 0 True 1
Fn
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image