7bcd69b3...dd26 | Grouped Behavior
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Ransomware, Trojan

zzbdrimp2939.exe

Windows Exe (x86-32)

Created at 2019-03-23T10:12:00

...
Grouped Sequential

Monitored Processes

Process Graph

Process Graph Legend
Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0xe64 Analysis Target High (Elevated) zzbdrimp2939.exe "C:\Users\FD1HVy\Desktop\zzbdrimp2939.exe" -
#2 0xc04 Child Process High (Elevated) cmd.exe C:\WINDOWS\system32\cmd.exe /c move /y C:\Users\FD1HVy\Desktop\zzbdrimp2939.exe C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe #1
#4 0x4e4 Child Process High (Elevated) zzbdrimp5619.exe C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -m #1
#5 0x200 Child Process High (Elevated) zzbdrimp5619.exe C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s #4
#6 0x3cc Child Process High (Elevated) zzbdrimp5619.exe C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s #4
#7 0xdb4 Child Process High (Elevated) zzbdrimp5619.exe C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s #4
#8 0xe00 Child Process High (Elevated) zzbdrimp5619.exe C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s #4
#9 0xbfc Child Process High (Elevated) zzbdrimp5619.exe C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s #4
#10 0xfac Child Process High (Elevated) zzbdrimp5619.exe C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s #4
#11 0xfec Child Process High (Elevated) zzbdrimp5619.exe C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s #4
#12 0xf1c Child Process High (Elevated) zzbdrimp5619.exe C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s #4
#13 0x7a8 Child Process High (Elevated) zzbdrimp5619.exe C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s #4
#14 0xb6c Child Process High (Elevated) zzbdrimp5619.exe C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s #4
#15 0xdd8 Child Process High (Elevated) zzbdrimp5619.exe C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s #4
#16 0xe38 Child Process High (Elevated) zzbdrimp5619.exe C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s #4
#17 0x83c Child Process High (Elevated) zzbdrimp5619.exe C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s #4
#18 0x714 Child Process High (Elevated) zzbdrimp5619.exe C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s #4
#19 0xd54 Child Process High (Elevated) zzbdrimp5619.exe C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s #4
#20 0xcb8 Child Process High (Elevated) zzbdrimp5619.exe C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s #4
#21 0x9b4 Child Process High (Elevated) zzbdrimp5619.exe C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s #4
#22 0x9fc Child Process High (Elevated) zzbdrimp5619.exe C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s #4
#23 0xd6c Child Process High (Elevated) zzbdrimp5619.exe C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s #4
#24 0xdac Child Process High (Elevated) zzbdrimp5619.exe C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s #4
#25 0x6ac Child Process High (Elevated) zzbdrimp5619.exe C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s #4
#26 0xe5c Child Process High (Elevated) zzbdrimp5619.exe C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s #4
#27 0xfc4 Child Process High (Elevated) zzbdrimp5619.exe C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s #4
#28 0xa88 Child Process High (Elevated) zzbdrimp5619.exe C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s #4
#29 0xec8 Child Process High (Elevated) zzbdrimp5619.exe C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s #4
#30 0x6dc Child Process High (Elevated) zzbdrimp5619.exe C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s #4
#31 0xf9c Child Process High (Elevated) zzbdrimp5619.exe C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s #4
#32 0xf60 Child Process High (Elevated) zzbdrimp5619.exe C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s #4
#33 0xf48 Child Process High (Elevated) zzbdrimp5619.exe C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s #4
#34 0x468 Child Process High (Elevated) zzbdrimp5619.exe C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s #4
#35 0xcf8 Child Process High (Elevated) zzbdrimp5619.exe C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s #4
#36 0xcc0 Child Process High (Elevated) zzbdrimp5619.exe C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s #4
#37 0xe00 Child Process High (Elevated) zzbdrimp5619.exe C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s #4
#38 0x7ec Child Process High (Elevated) zzbdrimp5619.exe C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s #4
#39 0x570 Child Process High (Elevated) zzbdrimp5619.exe C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s #4
#40 0xb6c Child Process High (Elevated) zzbdrimp5619.exe C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s #4
#41 0xdd8 Child Process High (Elevated) zzbdrimp5619.exe C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s #4
#42 0xed0 Child Process High (Elevated) zzbdrimp5619.exe C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s #4

Behavior Information - Grouped by Category

Process #1: zzbdrimp2939.exe
121 0
»
Information Value
ID #1
File Name c:\users\fd1hvy\desktop\zzbdrimp2939.exe
Command Line "C:\Users\FD1HVy\Desktop\zzbdrimp2939.exe"
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:00:25, Reason: Analysis Target
Unmonitor End Time: 00:00:38, Reason: Self Terminated
Monitor Duration 00:00:13
OS Process Information
»
Information Value
PID 0xe64
Parent PID 0x860 (c:\windows\explorer.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E98
0x CE0
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\Public\Desktop\README_LOCKED.txt 1.39 KB MD5: cf3282d6ad1dce954e472722979f3bde
SHA1: a2a9501fe1c525702ec428b8c4aa35be954424b6
SHA256: b686c88bce6629088ce1044b30ad1d5b978fd754601b8b463bc1f611b01d05d7
SSDeep: 24:KaEhwBlovLLI5lgbspz6wT5Ud3xHH+++y3T6kQHKMyqYmVUI+O:KwBlovfIbgYpsHkGhmVUIp 		False
...
Host Behavior
File (33)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\Public\Desktop\README_LOCKED.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Local\Temp type = file_attributes True 2
Fn
Get Info C:\ProgramData\Oracle\Java\javapath\cmd.exe type = file_attributes False 1
Fn
Get Info C:\ProgramData\Oracle\Java\javapath\cmd.exe.com type = file_attributes False 2
Fn
Get Info C:\ProgramData\Oracle\Java\javapath\cmd.exe.exe type = file_attributes False 2
Fn
Get Info C:\ProgramData\Oracle\Java\javapath\cmd.exe.bat type = file_attributes False 2
Fn
Get Info C:\ProgramData\Oracle\Java\javapath\cmd.exe.cmd type = file_attributes False 2
Fn
Get Info C:\ProgramData\Oracle\Java\javapath\cmd.exe.vbs type = file_attributes False 2
Fn
Get Info C:\ProgramData\Oracle\Java\javapath\cmd.exe.vbe type = file_attributes False 2
Fn
Get Info C:\ProgramData\Oracle\Java\javapath\cmd.exe.js type = file_attributes False 2
Fn
Get Info C:\ProgramData\Oracle\Java\javapath\cmd.exe.jse type = file_attributes False 2
Fn
Get Info C:\ProgramData\Oracle\Java\javapath\cmd.exe.wsf type = file_attributes False 2
Fn
Get Info C:\ProgramData\Oracle\Java\javapath\cmd.exe.wsh type = file_attributes False 2
Fn
Get Info C:\ProgramData\Oracle\Java\javapath\cmd.exe.msc type = file_attributes False 2
Fn
Get Info C:\WINDOWS\system32\cmd.exe type = file_attributes True 1
Fn
Get Info C:\Users\Public\Desktop\README_LOCKED.txt type = file_type True 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write C:\Users\Public\Desktop\README_LOCKED.txt size = 1375 True 1
Fn
Data
Write C:\Users\Public\Desktop\README_LOCKED.txt size = 53 True 1
Fn
Data
Process (2)
»
Operation Process Additional Information Success Count Logfile
Create C:\WINDOWS\system32\cmd.exe os_pid = 0xc04, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE True 1
Fn
Create C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe os_pid = 0x4e4, startup_flags = STARTF_USESHOWWINDOW, show_window = SW_HIDE True 1
Fn
Module (65)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load kernel32 base_address = 0x75e90000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75e90000 True 3
Fn
Get Handle c:\users\fd1hvy\desktop\zzbdrimp2939.exe base_address = 0x11a0000 True 2
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename - process_name = c:\users\fd1hvy\desktop\zzbdrimp2939.exe, file_name_orig = C:\Users\FD1HVy\Desktop\zzbdrimp2939.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsAlloc, address_out = 0x74f9bea0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsSetValue, address_out = 0x74f92550 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = InitializeCriticalSectionEx, address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsGetValue, address_out = 0x74f870c0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f7ed00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75ea4ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75ea4b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75ea4b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75ea4b40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75efebc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitOnceExecuteOnce, address_out = 0x74f95550 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x75efeb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x75efeb90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x75efeb80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75ea6d30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x77bfd7c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x77bfb740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75ea6d70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x77bfc0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x77bfbe10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77c22b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77c152f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x75ea4510 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x74f9e260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75ea0db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleEx, address_out = 0x75ea43d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandle, address_out = 0x75eff110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x75eff1e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeConditionVariable, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WakeConditionVariable, address_out = 0x77c88c50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll address_out = 0x77c18a90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableCS, address_out = 0x7500fca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSRWLock, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AcquireSRWLockExclusive, address_out = 0x77bf58e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TryAcquireSRWLockExclusive, address_out = 0x77c72ce0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseSRWLockExclusive, address_out = 0x77bf83a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableSRW, address_out = 0x7500fcf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWork, address_out = 0x75ea6db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SubmitThreadpoolWork, address_out = 0x77bfeb00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWork, address_out = 0x77bfed50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x75ea7050 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x75ea7190 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x75ea7480 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateHardLinkW, address_out = 0x75ea44f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AreFileApisANSI, address_out = 0x75ea4280 True 1
Fn
User (5)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
Lookup Privilege privilege = SeRestorePrivilege, luid = 18 True 1
Fn
Lookup Privilege privilege = SeLockMemoryPrivilege, luid = 4 True 1
Fn
Lookup Privilege privilege = SeCreateGlobalPrivilege, luid = 30 True 1
Fn
System (4)
»
Operation Additional Information Success Count Logfile
Get Time type = Performance Ctr, time = 12364916226 True 1
Fn
Get Time type = Performance Ctr, time = 12450747008 True 1
Fn
Get Info type = Hardware Information True 2
Fn
Environment (5)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 3
Fn
Data
Get Environment String name = TMP True 1
Fn
Get Environment String name = TMP, result_out = C:\Users\FD1HVy\AppData\Local\Temp True 1
Fn
Process #2: cmd.exe
61 0
»
Information Value
ID #2
File Name c:\windows\system32\cmd.exe
Command Line C:\WINDOWS\system32\cmd.exe /c move /y C:\Users\FD1HVy\Desktop\zzbdrimp2939.exe C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:00:33, Reason: Child Process
Unmonitor End Time: 00:00:37, Reason: Self Terminated
Monitor Duration 00:00:04
OS Process Information
»
Information Value
PID 0xc04
Parent PID 0xe64 (c:\users\fd1hvy\desktop\zzbdrimp2939.exe)
Bitness 64-bit
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 6CC
0x F70
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points YARA Actions
cmd.exe 0x7FF6C6960000 0x7FF6C69C2FFF Process Termination - 64-bit - False
...
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\FD1HVy\Desktop\zzbdrimp2939.exe 1.19 MB MD5: 7e3f8b6b7ac0565bfcbf0a1e3e6fcfbc
SHA1: b2a701225c8c7f839be3c5009d52b4421063d93e
SHA256: 7bcd69b3085126f7e97406889f78ab74e87230c11812b79406d723a80c08dd26
SSDeep: 24576:VnJVtmfwkmE2j2uD3bMUPMGOc0dfe3WuEK2/0vPY0uZTp+Xksy:jVtmfwkmE2jrcHdfelcYPMZTp+Xksy 		False
...
Host Behavior
File (23)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Users\FD1HVy\Desktop type = file_attributes True 3
Fn
Get Info C:\Users\FD1HVy\Desktop\zzbdrimp2939.exe type = file_attributes True 3
Fn
Get Info C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe type = file_attributes False 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 1
Fn
Open STD_OUTPUT_HANDLE - True 9
Fn
Open STD_INPUT_HANDLE - True 4
Fn
Move C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe source_filename = C:\Users\FD1HVy\Desktop\zzbdrimp2939.exe, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Write STD_OUTPUT_HANDLE size = 26 True 1
Fn
Data
Registry (17)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 4, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Module (8)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\system32\cmd.exe base_address = 0x7ff6c6960000 True 1
Fn
Get Handle c:\windows\system32\kernel32.dll base_address = 0x7ff92fdd0000 True 2
Fn
Get Filename - process_name = c:\windows\system32\cmd.exe, file_name_orig = C:\WINDOWS\system32\cmd.exe, size = 32743 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetThreadUILanguage, address_out = 0x7ff92fdea990 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = CopyFileExW, address_out = 0x7ff92fdee830 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = IsDebuggerPresent, address_out = 0x7ff92fdee300 True 1
Fn
Get Address c:\windows\system32\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x7ff92f1b0a40 True 1
Fn
Environment (11)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 4
Fn
Data
Get Environment String name = PATH, result_out = C:\ProgramData\Oracle\Java\javapath;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\WINDOWS\System32\WindowsPowerShell\v1.0\;C:\Users\FD1HVy\AppData\Local\Microsoft\WindowsApps True 1
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\WINDOWS\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Users\FD1HVy\Desktop True 1
Fn
Process #4: zzbdrimp5619.exe
1923 0
»
Information Value
ID #4
File Name c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe
Command Line C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -m
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:00:37, Reason: Child Process
Unmonitor End Time: 00:03:58, Reason: Terminated by Timeout
Monitor Duration 00:03:20
OS Process Information
»
Information Value
PID 0x4e4
Parent PID 0xe64 (c:\users\fd1hvy\desktop\zzbdrimp2939.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 37C
0x 7EC
0x 384
0x 390
0x 49C
Host Behavior
COM (64)
»
Operation Class Interface Additional Information Success Count Logfile
Create 00021401-0000-0000-C000-000000000046 000214F9-0000-0000-C000-000000000046 cls_context = CLSCTX_INPROC_SERVER False 64
Fn
File (1094)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Documents and Settings file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Documents and Settings desired_access = FILE_READ_EA, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Documents and Settings desired_access = FILE_READ_EA, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Program Files\Microsoft Office\root\client\AppvIsvStream32.dll desired_access = FILE_READ_EA, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 2
Fn
Create C:\Program Files\Microsoft Office\root\client\AppvIsvStream64.dll file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Program Files\Microsoft Office\root\client\AppvIsvStream64.dll desired_access = FILE_READ_EA, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Program Files\Microsoft Office\root\client\AppvIsvStream64.dll desired_access = FILE_READ_EA, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 2
Fn
Create C:\Program Files\Microsoft Office\root\client\AppvIsvSubsystems32.dll file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Program Files\Microsoft Office\root\client\AppvIsvSubsystems32.dll desired_access = FILE_READ_EA, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Program Files\Microsoft Office\root\client\AppvIsvSubsystems32.dll desired_access = FILE_READ_EA, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 2
Fn
Create C:\Program Files\Microsoft Office\root\client\AppvIsvSubsystems64.dll file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Program Files\Microsoft Office\root\client\AppvIsvSubsystems64.dll desired_access = FILE_READ_EA, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Program Files\Microsoft Office\root\client\AppvIsvSubsystems64.dll desired_access = FILE_READ_EA, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 2
Fn
Create C:\Program Files\Microsoft Office\root\client\C2R32.dll desired_access = FILE_READ_EA, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 2
Fn
Create C:\Program Files\Microsoft Office\root\client\C2R64.dll file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Program Files\Microsoft Office\root\client\C2R64.dll desired_access = FILE_READ_EA, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Program Files\Microsoft Office\root\client\C2R64.dll desired_access = FILE_READ_EA, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 2
Fn
Create C:\Program Files\Microsoft Office\root\Office16\AppvIsvStream64.dll desired_access = FILE_READ_EA, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 2
Fn
Create C:\Program Files\Microsoft Office\root\Office16\AppvIsvSubsystems64.dll file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Program Files\Microsoft Office\root\Office16\AppvIsvSubsystems64.dll desired_access = FILE_READ_EA, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Program Files\Microsoft Office\root\Office16\AppvIsvSubsystems64.dll desired_access = FILE_READ_EA, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 2
Fn
Create C:\Program Files\Microsoft Office\root\Office16\C2R64.dll desired_access = FILE_READ_EA, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 2
Fn
Create C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\EQUATION\AppvIsvStream32.dll desired_access = FILE_READ_EA, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 2
Fn
Create C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\EQUATION\AppvIsvSubsystems32.dll file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\EQUATION\AppvIsvSubsystems32.dll desired_access = FILE_READ_EA, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\EQUATION\AppvIsvSubsystems32.dll desired_access = FILE_READ_EA, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 2
Fn
Create C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\EQUATION\C2R32.dll file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\EQUATION\C2R32.dll desired_access = FILE_READ_EA, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\EQUATION\C2R32.dll desired_access = FILE_READ_EA, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 2
Fn
Create C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\AppvIsvStream64.dll desired_access = FILE_READ_EA, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 2
Fn
Create C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\AppvIsvSubsystems64.dll file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\AppvIsvSubsystems64.dll desired_access = FILE_READ_EA, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\AppvIsvSubsystems64.dll desired_access = FILE_READ_EA, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 2
Fn
Create C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\C2R64.dll file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\C2R64.dll desired_access = FILE_READ_EA, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\C2R64.dll desired_access = FILE_READ_EA, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 2
Fn
Create C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\EQUATION\AppvIsvStream32.dll desired_access = FILE_READ_EA, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 2
Fn
Create C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\EQUATION\AppvIsvSubsystems32.dll file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\EQUATION\AppvIsvSubsystems32.dll desired_access = FILE_READ_EA, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\EQUATION\AppvIsvSubsystems32.dll desired_access = FILE_READ_EA, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 2
Fn
Create C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\EQUATION\C2R32.dll file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\EQUATION\C2R32.dll desired_access = FILE_READ_EA, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\EQUATION\C2R32.dll desired_access = FILE_READ_EA, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 2
Fn
Create C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\AppvIsvStream32.dll desired_access = FILE_READ_EA, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 2
Fn
Create C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\AppvIsvSubsystems32.dll file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\AppvIsvSubsystems32.dll desired_access = FILE_READ_EA, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\AppvIsvSubsystems32.dll desired_access = FILE_READ_EA, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 2
Fn
Create C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\C2R32.dll file_attributes = FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\C2R32.dll desired_access = FILE_READ_EA, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\C2R32.dll desired_access = FILE_READ_EA, file_attributes = FILE_FLAG_OPEN_REPARSE_POINT, FILE_FLAG_BACKUP_SEMANTICS, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 2
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Windows\Recent\-3UHf66cGxHB.lnk type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Windows\Recent\-AnF.lnk type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Windows\Recent\1QAPVi6RYhjsmS_eh0.lnk type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Windows\Recent\2VmaaUC.ots.lnk type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Windows\Recent\3vTVFJ8s8knPxs8aR.lnk type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Windows\Recent\3X8oz61amYGD.lnk type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Windows\Recent\45tHxuZPCJ8a.lnk type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Windows\Recent\4Ohv8IWxp.lnk type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Windows\Recent\55VspAUYJcS-7AwG.lnk type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Windows\Recent\6abGx.lnk type = file_attributes True 1
Fn
Get Info C:\Users\FD1HVy\AppData\Roaming\Microsoft\Windows\Recent\7L829zN.lnk type = file_attributes True 1
Fn
Get Info C:\$GetCurrent\Logs\downlevel_2017_09_07_02_02_39_766.log type = file_attributes True 3
Fn
Get Info C:\$GetCurrent\Logs\oobe_2017_09_07_03_08_57_737.log type = file_attributes True 3
Fn
Get Info C:\$GetCurrent\Logs\PartnerSetupCompleteResult.log type = file_attributes True 3
Fn
Get Info C:\$GetCurrent\SafeOS\GetCurrentOOBE.dll type = file_attributes True 3
Fn
Get Info C:\$GetCurrent\SafeOS\GetCurrentRollback.ini type = file_attributes True 1
Fn
Get Info C:\$GetCurrent\SafeOS\PartnerSetupComplete.cmd type = file_attributes True 2
Fn
Get Info C:\$GetCurrent\SafeOS\preoobe.cmd type = file_attributes True 1
Fn
Get Info C:\$GetCurrent\SafeOS\SetupComplete.cmd type = file_attributes True 3
Fn
Get Info C:\$Recycle.Bin\S-1-5-18\desktop.ini type = file_attributes True 3
Fn
Get Info C:\$Recycle.Bin\S-1-5-21-1051304884-625712362-2192934891-1000\desktop.ini type = file_attributes True 3
Fn
Get Info C:\$WINRE_BACKUP_PARTITION.MARKER type = file_attributes True 2
Fn
Get Info C:\588bce7c90097ed212\1025\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1025\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1028\eula.rtf type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1028\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1028\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1029\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1029\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1030\eula.rtf type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1030\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1030\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1031\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1031\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1032\eula.rtf type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1032\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1032\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1033\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1033\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1035\eula.rtf type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1035\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1035\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1036\eula.rtf type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1036\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1036\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1037\eula.rtf type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1037\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1037\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1038\eula.rtf type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1038\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1038\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1040\eula.rtf type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1040\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1040\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1041\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1041\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1042\eula.rtf type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1042\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1042\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1043\eula.rtf type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1043\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1043\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1044\eula.rtf type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1044\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1044\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1045\eula.rtf type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1045\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1045\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1046\eula.rtf type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1046\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1046\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1049\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1049\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1053\eula.rtf type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1053\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1053\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1055\eula.rtf type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\1055\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1055\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\2052\eula.rtf type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\2052\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\2052\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\2070\eula.rtf type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\2070\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\2070\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\3076\eula.rtf type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\3076\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\3076\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\3082\eula.rtf type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\3082\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\3082\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\Client\Parameterinfo.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\Client\UiInfo.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\DHtmlHeader.html type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\DisplayIcon.ico type = file_attributes True 2
Fn
Get Info C:\588bce7c90097ed212\Extended\Parameterinfo.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\Extended\UiInfo.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\Graphics\Print.ico type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\Graphics\Rotate1.ico type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\Graphics\Rotate2.ico type = file_attributes True 2
Fn
Get Info C:\588bce7c90097ed212\Graphics\Rotate3.ico type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\Graphics\Rotate4.ico type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\Graphics\Rotate5.ico type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\Graphics\Rotate6.ico type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\Graphics\Rotate7.ico type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\Graphics\Rotate8.ico type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\Graphics\Save.ico type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\Graphics\stop.ico type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\Graphics\SysReqMet.ico type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\Graphics\SysReqNotMet.ico type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\Graphics\warn.ico type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\header.bmp type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\netfx_Core.mzz type = file_attributes True 2
Fn
Get Info C:\588bce7c90097ed212\netfx_Core_x64.msi type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\netfx_Core_x86.msi type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\netfx_Extended.mzz type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\netfx_Extended_x64.msi type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\netfx_Extended_x86.msi type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\ParameterInfo.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\RGB9RAST_x64.msi type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\RGB9Rast_x86.msi type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\Setup.exe type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\SetupEngine.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\SetupUi.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\SetupUi.xsd type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\SetupUtility.exe type = file_attributes True 2
Fn
Get Info C:\588bce7c90097ed212\SplashScreen.bmp type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\sqmapi.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\Strings.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\UiInfo.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\watermark.bmp type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x64.msu type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x86.msu type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x64.msu type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x86.msu type = file_attributes True 3
Fn
Get Info C:\Boot\BCD type = file_attributes True 3
Fn
Get Info C:\Boot\BCD.LOG type = file_attributes True 3
Fn
Get Info C:\Boot\BCD.LOG1 type = file_attributes True 3
Fn
Get Info C:\Boot\BCD.LOG2 type = file_attributes True 3
Fn
Get Info C:\Boot\bg-BG\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\BOOTSTAT.DAT type = file_attributes True 3
Fn
Get Info C:\Boot\bootvhd.dll type = file_attributes True 3
Fn
Get Info C:\Boot\cs-CZ\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\da-DK\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\da-DK\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\de-DE\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\de-DE\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\el-GR\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\en-GB\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\en-US\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\en-US\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\es-ES\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\es-MX\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\et-EE\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\fi-FI\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\fi-FI\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\Fonts\chs_boot.ttf type = file_attributes True 3
Fn
Get Info C:\Boot\Fonts\cht_boot.ttf type = file_attributes True 3
Fn
Get Info C:\Boot\Fonts\kor_boot.ttf type = file_attributes True 3
Fn
Get Info C:\Boot\Fonts\malgunn_boot.ttf type = file_attributes True 3
Fn
Get Info C:\Boot\Fonts\malgun_boot.ttf type = file_attributes True 3
Fn
Get Info C:\Boot\Fonts\meiryon_boot.ttf type = file_attributes True 3
Fn
Get Info C:\Boot\Fonts\meiryo_boot.ttf type = file_attributes True 3
Fn
Get Info C:\Boot\Fonts\msjhn_boot.ttf type = file_attributes True 2
Fn
Get Info C:\Boot\Fonts\msjh_boot.ttf type = file_attributes True 1
Fn
Get Info C:\Boot\Fonts\msyhn_boot.ttf type = file_attributes True 3
Fn
Get Info C:\Boot\Fonts\msyh_boot.ttf type = file_attributes True 3
Fn
Get Info C:\Boot\Fonts\segmono_boot.ttf type = file_attributes True 3
Fn
Get Info C:\Boot\Fonts\segoen_slboot.ttf type = file_attributes True 3
Fn
Get Info C:\Boot\Fonts\segoe_slboot.ttf type = file_attributes True 3
Fn
Get Info C:\Boot\Fonts\wgl4_boot.ttf type = file_attributes True 1
Fn
Get Info C:\Boot\fr-CA\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\fr-FR\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\fr-FR\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\hr-HR\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\hu-HU\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\hu-HU\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\it-IT\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\it-IT\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\ja-JP\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\ja-JP\memtest.exe.mui type = file_attributes True 2
Fn
Get Info C:\Boot\ko-KR\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\ko-KR\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\lt-LT\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\lv-LV\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\memtest.exe type = file_attributes True 3
Fn
Get Info C:\Boot\nb-NO\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\nb-NO\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\nl-NL\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\nl-NL\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\pl-PL\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\pt-BR\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\pt-BR\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\pt-PT\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\pt-PT\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\qps-ploc\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\qps-ploc\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\Resources\bootres.dll type = file_attributes True 3
Fn
Get Info C:\Boot\Resources\en-US\bootres.dll.mui type = file_attributes True 3
Fn
Get Info C:\Boot\ro-RO\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\ru-RU\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\sk-SK\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\sl-SI\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\sr-Latn-CS\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\sr-Latn-CS\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\sv-SE\bootmgr.exe.mui type = file_attributes True 1
Fn
Get Info C:\Boot\sv-SE\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\tr-TR\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\tr-TR\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\uk-UA\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\updaterevokesipolicy.p7b type = file_attributes True 2
Fn
Get Info C:\Boot\zh-CN\memtest.exe.mui type = file_attributes True 1
Fn
Get Info C:\Boot\zh-HK\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\zh-HK\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\zh-TW\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\zh-TW\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\bootmgr type = file_attributes True 3
Fn
Get Info C:\BOOTNXT type = file_attributes True 3
Fn
Get Info C:\Documents and Settings type = file_attributes True 2
Fn
Get Info C:\hiberfil.sys type = file_attributes False 1
Fn
Get Info C:\Logs\Application.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\HardwareEvents.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Internet Explorer.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Key Management Service.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx type = file_attributes True 2
Fn
Get Info C:\Logs\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-AppLocker%4EXE and DLL.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-AppLocker%4MSI and Script.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-AppLocker%4Packaged app-Deployment.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-AppLocker%4Packaged app-Execution.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx type = file_attributes True 2
Fn
Get Info C:\Logs\Microsoft-Windows-AppReadiness%4Admin.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-AppReadiness%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-AppxPackaging%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-DeviceSetupManager%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-Dhcp-Client%4Admin.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-HotspotAuth%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-Hyper-V-Guest-Drivers%4Admin.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-International%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-Kernel-PnP%4Configuration.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-Kernel-WHEA%4Errors.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-Known Folders API Service.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-LiveId%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-MUI%4Admin.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-MUI%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-NCSI%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-Ntfs%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-Ntfs%4WHC.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx type = file_attributes True 2
Fn
Get Info C:\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-SettingSync%4Debug.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-SettingSync%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-Shell-Core%4ActionCenter.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-SMBClient%4Operational.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-SmbClient%4Security.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-SMBServer%4Audit.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-SMBServer%4Connectivity.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-SMBServer%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-SMBServer%4Security.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-Store%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-TaskScheduler%4Maintenance.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-TWinUI%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx type = file_attributes True 2
Fn
Get Info C:\Logs\Microsoft-Windows-UserPnp%4ActionCenter.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-UserPnp%4DeviceInstall.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-Windows Defender%4WHC.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx type = file_attributes True 1
Fn
Get Info C:\Logs\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-Winlogon%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Security.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Setup.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Windows PowerShell.evtx type = file_attributes True 1
Fn
Get Info C:\pagefile.sys type = file_attributes False 1
Fn
Get Info C:\Program Files\Common Files\DESIGNER\MSADDNDR.OLB type = file_attributes True 2
Fn
Get Info C:\Program Files\Common Files\joke.exe type = file_attributes True 2
Fn
Get Info C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll type = file_attributes True 2
Fn
Get Info C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll type = file_attributes True 2
Fn
Get Info C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll type = file_attributes True 2
Fn
Get Info C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll type = file_attributes True 2
Fn
Get Info C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll type = file_attributes True 2
Fn
Get Info C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\client\AppvIsvStream32.dll type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\client\AppvIsvStream64.dll type = file_attributes True 3
Fn
Get Info C:\Program Files\Microsoft Office\root\client\AppvIsvSubsystems32.dll type = file_attributes True 3
Fn
Get Info C:\Program Files\Microsoft Office\root\client\AppvIsvSubsystems64.dll type = file_attributes True 3
Fn
Get Info C:\Program Files\Microsoft Office\root\client\AppVLP.exe type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\client\C2R32.dll type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\client\C2R64.dll type = file_attributes True 3
Fn
Get Info C:\Program Files\Microsoft Office\root\client\concrt140.dll type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\sr-Latn-CS\Microsoft.AnalysisServices.Common.resources.dll type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\sr-Latn-CS\Microsoft.AnalysisServices.Common.Wizard.resources.dll type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\sr-Latn-CS\Microsoft.AnalysisServices.Excel.BackEnd.resources.dll type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\sr-Latn-CS\Microsoft.AnalysisServices.Excel.Common.FrontEnd.resources.dll type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\sr-Latn-CS\Microsoft.AnalysisServices.Layout.resources.dll type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\sr-Latn-CS\Microsoft.AnalysisServices.XLHost.Modeler.resources.dll type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\AppvIsvStream64.dll type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\AppvIsvSubsystems64.dll type = file_attributes True 3
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\AUDIOSEARCHLTS.DLL type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\AUDIOSEARCHMAIN.DLL type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\AUDIOSEARCHSAPIFE.DLL type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\AutoHelper.dll type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\bdcmetadata.xsd type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\bdcmetadataresource.xsd type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\C2R64.dll type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\CHART.DLL type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\CNFNOT32.EXE type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\CommunicatorContentBinApp.xap type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\concrt140.dll type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\Configuration\card_expiration_terms_dict.txt type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\GROOVE.EXE type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\GROOVE.VisualElementsManifest.xml type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\GROOVEEX.DLL type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\HeaderPatterns.xml type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\HVAC.DLL type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\IEAWSDC.DLL type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\MSO0127.ACL type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\MSOCF.DLL type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\MSOCFUIUTILITIESDLL.DLL type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\MSOCR.DLL type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\MSOCRRES.ORP type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\msoetwres.dll type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\msoev.exe type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\Visio Content\1033\FPEQP_M.VSSX type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\Visio Content\1033\FPEQP_U.VSSX type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\Visio Content\1033\FPVALV_M.VSSX type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\Visio Content\1033\FPVALV_U.VSSX type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\Visio Content\1033\FREEQP_M.VSSX type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\Visio Content\1033\FREEQP_U.VSSX type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\Visio Content\1033\FURN_M.VSSX type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\EQUATION\AppvIsvStream32.dll type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\EQUATION\AppvIsvSubsystems32.dll type = file_attributes True 3
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\EQUATION\C2R32.dll type = file_attributes True 3
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\EQUATION\concrt140.dll type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\EQUATION\EQNEDT32.CNT type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\EQUATION\EQNEDT32.EXE type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\EQUATION\eqnedt32.exe.manifest type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\EQUATION\EQNEDT32.HLP type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\AppvIsvStream64.dll type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\AppvIsvSubsystems64.dll type = file_attributes True 3
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\C2R64.dll type = file_attributes True 3
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CMigrate.exe type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\concrt140.dll type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Csi.dll type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\CSISYNCCLIENT.EXE type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\PROFILE.INF type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\THMBNAIL.PNG type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\PREVIEW.GIF type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\QUAD.ELM type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\QUAD.INF type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\THMBNAIL.PNG type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\EQUATION\AppvIsvStream32.dll type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\EQUATION\AppvIsvSubsystems32.dll type = file_attributes True 3
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\EQUATION\C2R32.dll type = file_attributes True 3
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\Help\1028\hxdsui.dll type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\Help\1031\hxdsui.dll type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\Help\1033\hxdsui.dll type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\AppvIsvStream32.dll type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\AppvIsvSubsystems32.dll type = file_attributes True 3
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\AutoHelper.dll type = file_attributes True 2
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\C2R32.dll type = file_attributes True 3
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\concrt140.dll type = file_attributes True 2
Fn
Get Info C:\Program Files\Mozilla Firefox\uninstall\shortcuts_log.ini type = file_attributes True 2
Fn
Get Info C:\Program Files\Mozilla Firefox\uninstall\uninstall.log type = file_attributes True 2
Fn
Get Info C:\Program Files\Mozilla Firefox\update-settings.ini type = file_attributes True 2
Fn
Get Info C:\Program Files\Mozilla Firefox\updater.exe type = file_attributes True 2
Fn
Get Info C:\Program Files\Mozilla Firefox\updater.ini type = file_attributes True 2
Fn
Get Info C:\Program Files\Mozilla Firefox\vcruntime140.dll type = file_attributes True 2
Fn
Get Info C:\Program Files\Mozilla Firefox\xul.dll type = file_attributes True 2
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Process (22)
»
Operation Process Additional Information Success Count Logfile
Create C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe os_pid = 0x200, show_window = SW_HIDE True 1
Fn
Create C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe os_pid = 0x3cc, show_window = SW_HIDE True 1
Fn
Create C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe os_pid = 0xdb4, show_window = SW_HIDE True 1
Fn
Create C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe os_pid = 0xe00, show_window = SW_HIDE True 1
Fn
Create C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe os_pid = 0xbfc, show_window = SW_HIDE True 1
Fn
Create C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe os_pid = 0x6ac, show_window = SW_HIDE True 1
Fn
Create C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe os_pid = 0xe5c, show_window = SW_HIDE True 1
Fn
Create C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe os_pid = 0xfc4, show_window = SW_HIDE True 1
Fn
Create C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe os_pid = 0xa88, show_window = SW_HIDE True 1
Fn
Create C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe os_pid = 0xec8, show_window = SW_HIDE True 1
Fn
Create C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe os_pid = 0x6dc, show_window = SW_HIDE True 1
Fn
Create C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe os_pid = 0xf9c, show_window = SW_HIDE True 1
Fn
Create C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe os_pid = 0xf60, show_window = SW_HIDE True 1
Fn
Create C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe os_pid = 0xf48, show_window = SW_HIDE True 1
Fn
Create C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe os_pid = 0x468, show_window = SW_HIDE True 1
Fn
Create C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe os_pid = 0xcf8, show_window = SW_HIDE True 1
Fn
Create C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe os_pid = 0xcc0, show_window = SW_HIDE True 1
Fn
Create C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe os_pid = 0x7ec, show_window = SW_HIDE True 1
Fn
Create C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe os_pid = 0x570, show_window = SW_HIDE True 1
Fn
Create C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe os_pid = 0xb6c, show_window = SW_HIDE True 1
Fn
Create C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe os_pid = 0xdd8, show_window = SW_HIDE True 1
Fn
Create C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe os_pid = 0xed0, show_window = SW_HIDE True 1
Fn
Module (67)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load api-ms-win-appmodel-runtime-l1-1-1 base_address = 0x75ba0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75e90000 True 3
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77bb0000 True 1
Fn
Get Handle c:\users\fd1hvy\appdata\local\temp\zzbdr base_address = 0x11a0000, flags = GET_MODULE_HANDLE_EX_FLAG_FROM_ADDRESS True 1
Fn
Get Filename - process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, file_name_orig = C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsAlloc, address_out = 0x74f9bea0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsSetValue, address_out = 0x74f92550 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = InitializeCriticalSectionEx, address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsGetValue, address_out = 0x74f870c0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f7ed00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75ea4ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75ea4b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75ea4b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75ea4b40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75efebc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitOnceExecuteOnce, address_out = 0x74f95550 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x75efeb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x75efeb90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x75efeb80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75ea6d30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x77bfd7c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x77bfb740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75ea6d70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x77bfc0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x77bfbe10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77c22b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77c152f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x75ea4510 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x74f9e260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75ea0db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleEx, address_out = 0x75ea43d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandle, address_out = 0x75eff110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x75eff1e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeConditionVariable, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WakeConditionVariable, address_out = 0x77c88c50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll address_out = 0x77c18a90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableCS, address_out = 0x7500fca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSRWLock, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AcquireSRWLockExclusive, address_out = 0x77bf58e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TryAcquireSRWLockExclusive, address_out = 0x77c72ce0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseSRWLockExclusive, address_out = 0x77bf83a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableSRW, address_out = 0x7500fcf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWork, address_out = 0x75ea6db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SubmitThreadpoolWork, address_out = 0x77bfeb00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWork, address_out = 0x77bfed50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x75ea7050 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x75ea7190 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x75ea7480 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateHardLinkW, address_out = 0x75ea44f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySection, address_out = 0x77c22220 True 1
Fn
Get Address c:\windows\syswow64\kernel.appcore.dll function = GetCurrentPackageId, address_out = 0x75ba3510 True 1
Fn
Create Mapping - filename = System Paging File, protection = PAGE_READWRITE, maximum_size = 1048576 True 1
Fn
Map - process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, desired_access = FILE_MAP_WRITE True 1
Fn
Driver (65)
»
Operation Driver Additional Information Success Count Logfile
Control C:\Documents and Settings control_code = 0x900a8 True 1
Fn
Control C:\Documents and Settings control_code = 0x900a8 True 1
Fn
Control - control_code = 0x900a8 True 4
Fn
Control C:\Program Files\Microsoft Office\root\client\AppvIsvStream32.dll control_code = 0x900a8 True 2
Fn
Control C:\Program Files\Microsoft Office\root\client\AppvIsvStream64.dll control_code = 0x900a8 True 1
Fn
Control C:\Program Files\Microsoft Office\root\client\AppvIsvStream64.dll control_code = 0x900a8 True 2
Fn
Control C:\Program Files\Microsoft Office\root\client\AppvIsvSubsystems32.dll control_code = 0x900a8 True 1
Fn
Control C:\Program Files\Microsoft Office\root\client\AppvIsvSubsystems32.dll control_code = 0x900a8 True 2
Fn
Control C:\Program Files\Microsoft Office\root\client\AppvIsvSubsystems64.dll control_code = 0x900a8 True 2
Fn
Control C:\Program Files\Microsoft Office\root\client\AppvIsvSubsystems64.dll control_code = 0x900a8 True 2
Fn
Control C:\Program Files\Microsoft Office\root\client\C2R32.dll control_code = 0x900a8 True 2
Fn
Control C:\Program Files\Microsoft Office\root\client\C2R64.dll control_code = 0x900a8 True 1
Fn
Control C:\Program Files\Microsoft Office\root\client\C2R64.dll control_code = 0x900a8 True 3
Fn
Control C:\Program Files\Microsoft Office\root\Office16\AppvIsvStream64.dll control_code = 0x900a8 True 2
Fn
Control C:\Program Files\Microsoft Office\root\Office16\AppvIsvSubsystems64.dll control_code = 0x900a8 True 2
Fn
Control C:\Program Files\Microsoft Office\root\Office16\AppvIsvSubsystems64.dll control_code = 0x900a8 True 2
Fn
Control C:\Program Files\Microsoft Office\root\Office16\C2R64.dll control_code = 0x900a8 True 2
Fn
Control C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\EQUATION\AppvIsvStream32.dll control_code = 0x900a8 True 2
Fn
Control C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\EQUATION\AppvIsvSubsystems32.dll control_code = 0x900a8 True 1
Fn
Control C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\EQUATION\AppvIsvSubsystems32.dll control_code = 0x900a8 True 2
Fn
Control C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\EQUATION\C2R32.dll control_code = 0x900a8 True 2
Fn
Control C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\EQUATION\C2R32.dll control_code = 0x900a8 True 2
Fn
Control C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\AppvIsvStream64.dll control_code = 0x900a8 True 2
Fn
Control C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\AppvIsvSubsystems64.dll control_code = 0x900a8 True 1
Fn
Control C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\AppvIsvSubsystems64.dll control_code = 0x900a8 True 2
Fn
Control C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\C2R64.dll control_code = 0x900a8 True 1
Fn
Control C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\C2R64.dll control_code = 0x900a8 True 2
Fn
Control C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\EQUATION\AppvIsvStream32.dll control_code = 0x900a8 True 2
Fn
Control C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\EQUATION\AppvIsvSubsystems32.dll control_code = 0x900a8 True 1
Fn
Control C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\EQUATION\AppvIsvSubsystems32.dll control_code = 0x900a8 True 2
Fn
Control C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\EQUATION\C2R32.dll control_code = 0x900a8 True 1
Fn
Control C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\EQUATION\C2R32.dll control_code = 0x900a8 True 2
Fn
Control C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\AppvIsvStream32.dll control_code = 0x900a8 True 2
Fn
Control C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\AppvIsvSubsystems32.dll control_code = 0x900a8 True 1
Fn
Control C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\AppvIsvSubsystems32.dll control_code = 0x900a8 True 2
Fn
Control C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\C2R32.dll control_code = 0x900a8 True 1
Fn
Control C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\C2R32.dll control_code = 0x900a8 True 2
Fn
User (5)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
Lookup Privilege privilege = SeRestorePrivilege, luid = 18 True 1
Fn
Lookup Privilege privilege = SeLockMemoryPrivilege, luid = 4 True 1
Fn
Lookup Privilege privilege = SeCreateGlobalPrivilege, luid = 30 True 1
Fn
System (10)
»
Operation Additional Information Success Count Logfile
Sleep duration = 5000 milliseconds (5.000 seconds) True 1
Fn
Get Time type = Performance Ctr, time = 12932819310 True 1
Fn
Get Time type = System Time True 4
Fn
Get Info type = Hardware Information True 3
Fn
Get Info type = Windows Directory, result_out = C:\WINDOWS True 1
Fn
Mutex (587)
»
Operation Additional Information Success Count Logfile
Create mutex_name = MX-zzbdrimp True 1
Fn
Release mutex_name = MX-zzbdrimp True 586
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Process #5: zzbdrimp5619.exe
2386 0
»
Information Value
ID #5
File Name c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe
Command Line C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:00:37, Reason: Child Process
Unmonitor End Time: 00:01:32, Reason: Self Terminated
Monitor Duration 00:00:54
OS Process Information
»
Information Value
PID 0x200
Parent PID 0x4e4 (c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x CEC
0x 784
0x CD8
0x 47C
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\588bce7c90097ed212\Client\Parameterinfo.xml.locked 197.21 KB MD5: 7167a128706e0c7bcf12c636006371aa
SHA1: 1f669a65f4c6cc7e50c046c7afe3690503d54d5d
SHA256: bb59a94f12e08217a86bbf7402b37fe056f9752e79d0250c9babbbfff5310961
SSDeep: 3072:MsGYiuk1G/0l7nmlEbkMrcWMlMEHrxWxq2yLexaYkpHYhW46Tf33Tj0XtVAZMA:PYn/keVmMEVWq2yLedAb33X0XtmeA 		False
...
C:\588bce7c90097ed212\1025\LocalizedData.xml.locked 72.62 KB MD5: 8255af954d5339b86fd2967fe2c12a35
SHA1: d741d8377c2e14996a820b155ba7fab6098b6fca
SHA256: b11b282d34042e5c5904708f79630c2b83cf55d1c2438514ec91c418fd154692
SSDeep: 1536:fvNH7gH4KLDI+QChFnjzNjeYgrXeBXeA24KkXpuULNE6NFV:fvxkiCjvNMrXeBeAznpuUNV 		False
...
C:\588bce7c90097ed212\UiInfo.xml.locked 38.13 KB MD5: 6468ecea7f1dedc8f46f57c9843da913
SHA1: 0fb9e737c44352b407ec76d2a907b6e26ad61be4
SHA256: 6fbfa21970183050bd207623a6331b32be9467a3edfeb10f3f4dc907fad4bdfb
SSDeep: 768:Urs3fR7MC3bdU+x0YK2E+HSqbarfJN8MWQIOOnNXPtyVLqwZ1k4eOx3X:UrsaCxU+aYK2KZXORGqDQn 		False
...
C:\588bce7c90097ed212\1044\LocalizedData.xml.locked 77.58 KB MD5: ae94d2e65d429d27159a1fa5f1450cad
SHA1: 9a815cdd6e08370510e758c18fa1dfe8f23ccd17
SHA256: e5d1ae55a9e2e4c6bde5d2ad45728bf4aa45f1b1ffe410aff72753e1e0d44560
SSDeep: 1536:RYj/IrRsckHF9ScZ5i4Fm90qfTAwVG764gJ6UaQk2cY9lgABU3KwfBr/BH:MYeNbdq4AOkTA4GW4cVaQkTClgABU6wD 		False
...
C:\588bce7c90097ed212\1028\LocalizedData.xml.locked 59.54 KB MD5: c7936c9373bc22e66c02458c12e10086
SHA1: ef92165b906905b43314b9a6599207646f541100
SHA256: 9bcd379087742b00a681cade23bcaa06028c2a1cc118a39b777261db71706029
SSDeep: 1536:Fmavz48xbcS6xwHr8KdqncBqiN7a01jyM+XBKW3fPkqTDziwFY0sS:tv08xbcVcEiNPdyiW3XTD9Y0t 		False
...
C:\588bce7c90097ed212\3076\LocalizedData.xml.locked 59.54 KB MD5: 1a31f83ece553db1f816095e4165eecc
SHA1: d2e9fbebc3acb143d564c65df59959d348197fbd
SHA256: 44dcc7836048ffd5eaf5eedf190b7f256fe139c55d24a204f32e771710cc551a
SSDeep: 1536:BuEAaS8Ki5KF48jlxPQtJd6l63/AABICAlFxaK+KDf6j:BFAZY8Y643/AABICtK+4ij 		False
...
C:\588bce7c90097ed212\2052\LocalizedData.xml.locked 59.41 KB MD5: 56a94f37e4881984eacbdbc2f8dc0198
SHA1: a482c63d3099f2094fa29dac59d709fcdbd53706
SHA256: e4697ad7c36e78dd8300c97f5549992500ec748c40e7533b38f4eb4df3b0befd
SSDeep: 1536:9OHkUe70je09VgATXSW45j1vDUSzWUX7m2aqOdNE0t:wHssFiqJcvN7mPHnt 		False
...
C:\588bce7c90097ed212\netfx_Extended.mzz.locked 10.00 MB MD5: 7574c7030184fbf28672d1ba0ebc05e3
SHA1: 78af4d76c1de5eef4d81f8385d4c6a771bbbc787
SHA256: 58059542dab990fc9269a95e80d8c217f6ded08ffef46cd17be8830089c47918
SSDeep: 196608:SPvzGTWbpXlnTKjdnlwR47POM3iC8fMRsmQ2iz+OUJL0U6gRXCwPrB7mTpGll:SPvq4TKx24OBgsxz+T50U/S+rB7EY 		False
...
Host Behavior
File (472)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\588bce7c90097ed212\1025\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1025\LocalizedData.xml.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\UiInfo.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\UiInfo.xml.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1044\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1044\LocalizedData.xml.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1028\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1028\LocalizedData.xml.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\Client\Parameterinfo.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\Client\Parameterinfo.xml.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\3076\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\3076\LocalizedData.xml.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\2052\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\2052\LocalizedData.xml.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\netfx_Extended.mzz type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\netfx_Extended.mzz.locked type = file_attributes False 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Open \??\\C:\588bce7c90097ed212\1025\LocalizedData.xml.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\UiInfo.xml.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1044\LocalizedData.xml.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1028\LocalizedData.xml.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\Client\Parameterinfo.xml.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\3076\LocalizedData.xml.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\2052\LocalizedData.xml.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open Mapping SM-zzbdrimp desired_access = FILE_MAP_COPY, FILE_MAP_WRITE True 1
Fn
Move C:\588bce7c90097ed212\1025\LocalizedData.xml.locked source_filename = C:\588bce7c90097ed212\1025\LocalizedData.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\UiInfo.xml.locked source_filename = C:\588bce7c90097ed212\UiInfo.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1044\LocalizedData.xml.locked source_filename = C:\588bce7c90097ed212\1044\LocalizedData.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1028\LocalizedData.xml.locked source_filename = C:\588bce7c90097ed212\1028\LocalizedData.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\Client\Parameterinfo.xml.locked source_filename = C:\588bce7c90097ed212\Client\Parameterinfo.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\3076\LocalizedData.xml.locked source_filename = C:\588bce7c90097ed212\3076\LocalizedData.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\2052\LocalizedData.xml.locked source_filename = C:\588bce7c90097ed212\2052\LocalizedData.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\netfx_Extended.mzz.locked source_filename = C:\588bce7c90097ed212\netfx_Extended.mzz, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Read \??\\C:\588bce7c90097ed212\1025\LocalizedData.xml.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1025\LocalizedData.xml.locked size = 8678, size_out = 8678 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\UiInfo.xml.locked size = 38898, size_out = 38898 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1044\LocalizedData.xml.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1044\LocalizedData.xml.locked size = 13760, size_out = 13760 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1028\LocalizedData.xml.locked size = 60816, size_out = 60816 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\Client\Parameterinfo.xml.locked size = 65536, size_out = 65536 True 3
Fn
Data
Read \??\\C:\588bce7c90097ed212\Client\Parameterinfo.xml.locked size = 5188, size_out = 5188 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\3076\LocalizedData.xml.locked size = 60816, size_out = 60816 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\2052\LocalizedData.xml.locked size = 60684, size_out = 60684 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked size = 65536, size_out = 65536 True 314
Fn
Data
Write \??\\C:\588bce7c90097ed212\1025\LocalizedData.xml.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1025\LocalizedData.xml.locked offset = 65536, size = 8682 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1025\LocalizedData.xml.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\UiInfo.xml.locked offset = 0, size = 38902 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\UiInfo.xml.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1044\LocalizedData.xml.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1044\LocalizedData.xml.locked offset = 65536, size = 13764 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1044\LocalizedData.xml.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1028\LocalizedData.xml.locked offset = 0, size = 60820 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1028\LocalizedData.xml.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Client\Parameterinfo.xml.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Client\Parameterinfo.xml.locked offset = 65536, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Client\Parameterinfo.xml.locked offset = 131072, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Client\Parameterinfo.xml.locked offset = 196608, size = 5192 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Client\Parameterinfo.xml.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\3076\LocalizedData.xml.locked offset = 0, size = 60820 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\3076\LocalizedData.xml.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\2052\LocalizedData.xml.locked offset = 0, size = 60688 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\2052\LocalizedData.xml.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 65536, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 131072, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 196608, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 262144, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 327680, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 393216, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 458752, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 524288, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 589824, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 655360, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 720896, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 786432, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 851968, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 917504, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 983040, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 1048576, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 1114112, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 1179648, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 1245184, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 1310720, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 1376256, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 1441792, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 1507328, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 1572864, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 1638400, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 1703936, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 1769472, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 1835008, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 1900544, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 1966080, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 2031616, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 2097152, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 2162688, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 2228224, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 2293760, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 2359296, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 2424832, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 2490368, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 2555904, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 2621440, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 2686976, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 2752512, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 2818048, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 2883584, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 2949120, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 3014656, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 3080192, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 3145728, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 3211264, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 3276800, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 3342336, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 3407872, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 13697024, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 13762560, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 13828096, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 13893632, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 13959168, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 14024704, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 14090240, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 14155776, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 14221312, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 14286848, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 14352384, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 14417920, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 14483456, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 14548992, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 14614528, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 14680064, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 14745600, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 14811136, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 14876672, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 14942208, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 15007744, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Extended.mzz.locked offset = 15073280, size = 65536 True 1
Fn
Data
Module (80)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load Rstrtmgr.dll base_address = 0x744f0000 True 1
Fn
Load ntdll.dll base_address = 0x77bb0000 True 1
Fn
Load api-ms-win-core-sysinfo-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load api-ms-win-appmodel-runtime-l1-1-1 base_address = 0x75ba0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75e90000 True 3
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77bb0000 True 1
Fn
Get Handle c:\users\fd1hvy\appdata\local\temp\zzbdr base_address = 0x11a0000 True 2
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename - process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, file_name_orig = C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsAlloc, address_out = 0x74f9bea0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsSetValue, address_out = 0x74f92550 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = InitializeCriticalSectionEx, address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsGetValue, address_out = 0x74f870c0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f7ed00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75ea4ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75ea4b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75ea4b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75ea4b40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75efebc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitOnceExecuteOnce, address_out = 0x74f95550 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x75efeb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x75efeb90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x75efeb80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75ea6d30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x77bfd7c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x77bfb740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75ea6d70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x77bfc0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x77bfbe10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77c22b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77c152f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x75ea4510 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x74f9e260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75ea0db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleEx, address_out = 0x75ea43d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandle, address_out = 0x75eff110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x75eff1e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeConditionVariable, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WakeConditionVariable, address_out = 0x77c88c50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll address_out = 0x77c18a90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableCS, address_out = 0x7500fca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSRWLock, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AcquireSRWLockExclusive, address_out = 0x77bf58e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TryAcquireSRWLockExclusive, address_out = 0x77c72ce0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseSRWLockExclusive, address_out = 0x77bf83a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableSRW, address_out = 0x7500fcf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWork, address_out = 0x75ea6db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SubmitThreadpoolWork, address_out = 0x77bfeb00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWork, address_out = 0x77bfed50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x75ea7050 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x75ea7190 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x75ea7480 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateHardLinkW, address_out = 0x75ea44f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySection, address_out = 0x77c22220 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmStartSession, address_out = 0x744f7930 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmRegisterResources, address_out = 0x744f7660 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmGetList, address_out = 0x744f74f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtOpenFile, address_out = 0x77c22040 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtClose, address_out = 0x77c21de0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtReadFile, address_out = 0x77c21d50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtWriteFile, address_out = 0x77c21d70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitUnicodeString, address_out = 0x77c242f0 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x74f6b830 True 1
Fn
Get Address c:\windows\syswow64\kernel.appcore.dll function = GetCurrentPackageId, address_out = 0x75ba3510 True 1
Fn
Map SM-zzbdrimp process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, desired_access = FILE_MAP_WRITE True 1
Fn
User (5)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
Lookup Privilege privilege = SeRestorePrivilege, luid = 18 True 1
Fn
Lookup Privilege privilege = SeLockMemoryPrivilege, luid = 4 True 1
Fn
Lookup Privilege privilege = SeCreateGlobalPrivilege, luid = 30 True 1
Fn
System (39)
»
Operation Additional Information Success Count Logfile
Get Time type = Performance Ctr, time = 13037170615 True 1
Fn
Get Time type = Performance Ctr, time = 14384510266 True 1
Fn
Get Time type = System Time True 18
Fn
Get Time type = Performance Ctr, time = 14401068860 True 1
Fn
Get Time type = Performance Ctr, time = 14430802412 True 1
Fn
Get Time type = Performance Ctr, time = 14971003521 True 1
Fn
Get Time type = Performance Ctr, time = 15013172041 True 1
Fn
Get Time type = Performance Ctr, time = 15276940713 True 1
Fn
Get Time type = Performance Ctr, time = 15311023042 True 1
Fn
Get Time type = Performance Ctr, time = 15405393224 True 1
Fn
Get Time type = Performance Ctr, time = 15545187578 True 1
Fn
Get Time type = Performance Ctr, time = 15623155520 True 1
Fn
Get Time type = Performance Ctr, time = 15781916793 True 1
Fn
Get Time type = Performance Ctr, time = 15825141648 True 1
Fn
Get Time type = Performance Ctr, time = 16455106313 True 1
Fn
Get Time type = Performance Ctr, time = 16460381971 True 1
Fn
Get Time type = Performance Ctr, time = 16580068855 True 1
Fn
Get Time type = Performance Ctr, time = 17962988129 True 1
Fn
Get Time type = Performance Ctr, time = 18068709074 True 1
Fn
Get Time type = Performance Ctr, time = 18166809601 True 1
Fn
Get Info type = Hardware Information True 2
Fn
Mutex (1765)
»
Operation Additional Information Success Count Logfile
Open mutex_name = MX-zzbdrimp, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Release mutex_name = MX-zzbdrimp True 1764
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Debug (8)
»
Operation Process Additional Information Success Count Logfile
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1025\LocalizedData.xml True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\UiInfo.xml True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1044\LocalizedData.xml True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1028\LocalizedData.xml True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\Client\Parameterinfo.xml True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\3076\LocalizedData.xml True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\2052\LocalizedData.xml True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\netfx_Extended.mzz True 1
Fn
Process #6: zzbdrimp5619.exe
2456 0
»
Information Value
ID #6
File Name c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe
Command Line C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:00:37, Reason: Child Process
Unmonitor End Time: 00:01:28, Reason: Self Terminated
Monitor Duration 00:00:50
OS Process Information
»
Information Value
PID 0x3cc
Parent PID 0x4e4 (c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DFC
0x 7B8
0x F74
0x E3C
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\588bce7c90097ed212\1029\LocalizedData.xml.locked 79.22 KB MD5: 2333489f0911ef6138f1297d21985663
SHA1: 6df6a644604aa5d54162717975ebc8731048e158
SHA256: e074ac554e3c815c4113f45e60e0114e10ce6f6c524e606af1226be169d3a7f8
SSDeep: 1536:DYpFk0uzSaLysqCelMxKa6DyVmnsbwpx1ojfkX652Jq7h7XcXOv:DY3qzpLynCelMx96eAsljfk3M9CY 		False
...
C:\588bce7c90097ed212\1033\LocalizedData.xml.locked 75.57 KB MD5: 5745a34d7acada4c7c0c5aba4161e872
SHA1: d74c4b41d046f352ad9ba5a3ee8b91658acbfb22
SHA256: 59b400a5c4ded0279ee8af6f0817a5f20d99df97d44cb283a4f398384c73e5a4
SSDeep: 1536:fAzF58zdIv6ECBE3GrT8KBUvayAFg5QbuvilTFQlTEadyAl77Hesp1cR7:fqbCECBy4BUvzA+Qbuvw6dEm+sM 		False
...
C:\588bce7c90097ed212\1043\LocalizedData.xml.locked 77.91 KB MD5: 7446c682ef180107de74a29c2af016be
SHA1: 990303b888dd22ce632cdb5a3aa5c77d1b8d09e1
SHA256: 5e30207b410fc7d2e66405ddd817f289862c2aee9615e82ab9653b3ecf23b579
SSDeep: 1536:t9GenFn3NknAITUs3BveV13iufxkGKNqAleDXGiGP/s4o80N:20cA+B3Bv23iuf6GQqLUPU4wN 		False
...
C:\588bce7c90097ed212\1041\LocalizedData.xml.locked 66.77 KB MD5: bdd8833a4905912bc486d6e1c469d3ac
SHA1: ea3aa3005ceece13b1fa674e15ca870b0e85d53f
SHA256: edc343c01ada78dd601cc6eff5a26f602bbd448598dd911d011cd2dd2b380f99
SSDeep: 1536:ej6SUE6xSnj8ci8jtv3OjZ1F1cbIBLOXvwBhjOW3cVErRXG:2eSnj8cNjtvejZ3eM4XvwPC2l2 		False
...
C:\588bce7c90097ed212\1031\LocalizedData.xml.locked 80.56 KB MD5: afdfd049e0878043e62de433463ec6d7
SHA1: e31d3ba4ccd1e1e32edf4d897dbd984a450437d8
SHA256: b996646c30037b8020a2d31e2d8e1db4391174c0d863f9b58598a9ba5c37bc05
SSDeep: 1536:hTqjmy1YCf4pwbyMygw1M1TLKmRiDO0uLMQhohON7uKatY6CKu45tg:hqj71YZ//ASvfuoQhYON7uKUNCp45y 		False
...
C:\588bce7c90097ed212\2070\LocalizedData.xml.locked 78.52 KB MD5: 3be8c5bd7c9040f7e38322db4a450a97
SHA1: b3e49fc2b2453a4aa96c4650bc44724e4aa54369
SHA256: 92d52f6ffdd7de657203b438157661f78c0409439c583d623934a47492835047
SSDeep: 1536:npB5T6YycrGPfWiZRJ6ItUwY16oHemxly/Hml2DKENJfx:bl62QfWi/7iw1EM/ml+Kkfx 		False
...
C:\588bce7c90097ed212\1037\LocalizedData.xml.locked 70.53 KB MD5: 85b82a1050abd371c77ad72903f6c966
SHA1: bc1e6da3f16ecff0200d6bd40251f5e66e7b7076
SHA256: 606cf7bcabfbcdeb49c2c91044141ad2671469b79fbfb3dc980dce391a04f0d3
SSDeep: 1536:uiX9PDFL8ahDu43dGEAPwEVOjerR3NJzlaPkrP9:uSd8au43djApVfBN1QPkB 		False
...
C:\Boot\Fonts\kor_boot.ttf.locked 2.26 MB MD5: f2f5edd4ec26b242a86b1a7c18601ace
SHA1: 16a73aaf2035cbb8cf4bc3419793b190b85241dd
SHA256: 307b8d0cc2336fcb6dcd4d327ab8bf5804870174fb532fe0e52fe2c6bfc184cc
SSDeep: 49152:nUU2GV6XnnKCWLARvk+QsVVDrrc3DGb8LLu0c5ygG1svJM:np2GcnLWsZ5rrcm8etvvm 		False
...
C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x64.msu.locked 4.96 MB MD5: c88642eb71361228c771f31183c2459e
SHA1: 6dd7d1cba8d5b4637b834dbf0fe64c1becaed511
SHA256: 2e8484ef47380ebc19647bb7d82942c5677192ea80862c567448d84fc6d5b204
SSDeep: 98304:GV9skpNVRSRHzaork/+NSDCL4HfnQ+GL7ThMduGjt:G8+RSRTk8N4/9GtMddjt 		False
...
C:\Boot\Fonts\jpn_boot.ttf.locked 1.89 MB MD5: c35283998f7928f20b725c80898b0dac
SHA1: d4ca6a213c551ab677fb08a5d9f27f4ff65c9845
SHA256: c512da1294d344d73d02a191bf3647f4afb80777d2b07615014642908619eb48
SSDeep: 49152:fcCSWzpkpsHl0r3pJuXJyNuOK+aYXQJRhrj2jxx4rCCB:2Wqpbr2JmuDsXQfhr69arCCB 		False
...
Host Behavior
File (288)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\588bce7c90097ed212\1029\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1029\LocalizedData.xml.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1033\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1033\LocalizedData.xml.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1043\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1043\LocalizedData.xml.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1041\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1041\LocalizedData.xml.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1031\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1031\LocalizedData.xml.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\2070\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\2070\LocalizedData.xml.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1037\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1037\LocalizedData.xml.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x64.msu type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x64.msu.locked type = file_attributes False 1
Fn
Get Info C:\Boot\Fonts\kor_boot.ttf type = file_attributes True 3
Fn
Get Info C:\Boot\Fonts\kor_boot.ttf.locked type = file_attributes False 1
Fn
Get Info C:\Boot\Fonts\jpn_boot.ttf.locked type = file_attributes False 1
Fn
Get Info C:\Boot\Fonts\jpn_boot.ttf type = file_attributes True 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Open \??\\C:\588bce7c90097ed212\1029\LocalizedData.xml.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1033\LocalizedData.xml.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1043\LocalizedData.xml.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1041\LocalizedData.xml.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1031\LocalizedData.xml.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\2070\LocalizedData.xml.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1037\LocalizedData.xml.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x64.msu.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\Fonts\kor_boot.ttf.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\Fonts\jpn_boot.ttf.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open Mapping SM-zzbdrimp desired_access = FILE_MAP_COPY, FILE_MAP_WRITE True 1
Fn
Move C:\588bce7c90097ed212\1029\LocalizedData.xml.locked source_filename = C:\588bce7c90097ed212\1029\LocalizedData.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1033\LocalizedData.xml.locked source_filename = C:\588bce7c90097ed212\1033\LocalizedData.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1043\LocalizedData.xml.locked source_filename = C:\588bce7c90097ed212\1043\LocalizedData.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1041\LocalizedData.xml.locked source_filename = C:\588bce7c90097ed212\1041\LocalizedData.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1031\LocalizedData.xml.locked source_filename = C:\588bce7c90097ed212\1031\LocalizedData.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\2070\LocalizedData.xml.locked source_filename = C:\588bce7c90097ed212\2070\LocalizedData.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1037\LocalizedData.xml.locked source_filename = C:\588bce7c90097ed212\1037\LocalizedData.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x64.msu.locked source_filename = C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x64.msu, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\Fonts\kor_boot.ttf.locked source_filename = C:\Boot\Fonts\kor_boot.ttf, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\Fonts\jpn_boot.ttf.locked source_filename = C:\Boot\Fonts\jpn_boot.ttf, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Read \??\\C:\588bce7c90097ed212\1029\LocalizedData.xml.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1029\LocalizedData.xml.locked size = 15434, size_out = 15434 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1033\LocalizedData.xml.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1033\LocalizedData.xml.locked size = 11696, size_out = 11696 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1043\LocalizedData.xml.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1043\LocalizedData.xml.locked size = 14098, size_out = 14098 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1041\LocalizedData.xml.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1041\LocalizedData.xml.locked size = 2690, size_out = 2690 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1031\LocalizedData.xml.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1031\LocalizedData.xml.locked size = 16810, size_out = 16810 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\2070\LocalizedData.xml.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\2070\LocalizedData.xml.locked size = 14718, size_out = 14718 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1037\LocalizedData.xml.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1037\LocalizedData.xml.locked size = 6540, size_out = 6540 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x64.msu.locked size = 65536, size_out = 65536 True 79
Fn
Data
Read \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x64.msu.locked size = 20755, size_out = 20755 True 1
Fn
Data
Read \??\\C:\Boot\Fonts\kor_boot.ttf.locked size = 65536, size_out = 65536 True 36
Fn
Data
Read \??\\C:\Boot\Fonts\kor_boot.ttf.locked size = 13704, size_out = 13704 True 1
Fn
Data
Read \??\\C:\Boot\Fonts\jpn_boot.ttf.locked size = 65536, size_out = 65536 True 14
Fn
Data
Write \??\\C:\588bce7c90097ed212\1029\LocalizedData.xml.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1029\LocalizedData.xml.locked offset = 65536, size = 15438 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1029\LocalizedData.xml.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1033\LocalizedData.xml.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1033\LocalizedData.xml.locked offset = 65536, size = 11700 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1033\LocalizedData.xml.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1043\LocalizedData.xml.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1043\LocalizedData.xml.locked offset = 65536, size = 14102 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1043\LocalizedData.xml.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1041\LocalizedData.xml.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1041\LocalizedData.xml.locked offset = 65536, size = 2694 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1041\LocalizedData.xml.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1031\LocalizedData.xml.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1031\LocalizedData.xml.locked offset = 65536, size = 16814 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1031\LocalizedData.xml.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\2070\LocalizedData.xml.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\2070\LocalizedData.xml.locked offset = 65536, size = 14722 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\2070\LocalizedData.xml.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1037\LocalizedData.xml.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1037\LocalizedData.xml.locked offset = 65536, size = 6544 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1037\LocalizedData.xml.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x64.msu.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x64.msu.locked offset = 65536, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x64.msu.locked offset = 131072, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x64.msu.locked offset = 196608, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x64.msu.locked offset = 262144, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x64.msu.locked offset = 327680, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x64.msu.locked offset = 393216, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x64.msu.locked offset = 458752, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x64.msu.locked offset = 524288, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x64.msu.locked offset = 589824, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x64.msu.locked offset = 655360, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x64.msu.locked offset = 720896, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x64.msu.locked offset = 786432, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x64.msu.locked offset = 851968, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x64.msu.locked offset = 917504, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x64.msu.locked offset = 983040, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x64.msu.locked offset = 1048576, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x64.msu.locked offset = 1114112, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x64.msu.locked offset = 1179648, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x64.msu.locked offset = 1245184, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x64.msu.locked offset = 1310720, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x64.msu.locked offset = 1376256, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\kor_boot.ttf.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\kor_boot.ttf.locked offset = 65536, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\kor_boot.ttf.locked offset = 131072, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\kor_boot.ttf.locked offset = 196608, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\kor_boot.ttf.locked offset = 262144, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\kor_boot.ttf.locked offset = 327680, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\kor_boot.ttf.locked offset = 393216, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\kor_boot.ttf.locked offset = 458752, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\kor_boot.ttf.locked offset = 524288, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\kor_boot.ttf.locked offset = 589824, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\kor_boot.ttf.locked offset = 655360, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\kor_boot.ttf.locked offset = 720896, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\kor_boot.ttf.locked offset = 786432, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\kor_boot.ttf.locked offset = 851968, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\kor_boot.ttf.locked offset = 917504, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\kor_boot.ttf.locked offset = 983040, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\kor_boot.ttf.locked offset = 1048576, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\kor_boot.ttf.locked offset = 1114112, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\kor_boot.ttf.locked offset = 1179648, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\kor_boot.ttf.locked offset = 1245184, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\kor_boot.ttf.locked offset = 1310720, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\kor_boot.ttf.locked offset = 1376256, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\kor_boot.ttf.locked offset = 1441792, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\kor_boot.ttf.locked offset = 1507328, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\kor_boot.ttf.locked offset = 1572864, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\kor_boot.ttf.locked offset = 1638400, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\kor_boot.ttf.locked offset = 1703936, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\kor_boot.ttf.locked offset = 1769472, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\kor_boot.ttf.locked offset = 1835008, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\kor_boot.ttf.locked offset = 1900544, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\kor_boot.ttf.locked offset = 1966080, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\kor_boot.ttf.locked offset = 2031616, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\kor_boot.ttf.locked offset = 2097152, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\kor_boot.ttf.locked offset = 2162688, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\kor_boot.ttf.locked offset = 2228224, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\kor_boot.ttf.locked offset = 2293760, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\kor_boot.ttf.locked offset = 2359296, size = 13708 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\kor_boot.ttf.locked size = 144 True 1
Fn
Data
Module (77)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load Rstrtmgr.dll base_address = 0x744f0000 True 1
Fn
Load ntdll.dll base_address = 0x77bb0000 True 1
Fn
Load api-ms-win-core-sysinfo-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75e90000 True 3
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77bb0000 True 1
Fn
Get Handle c:\users\fd1hvy\appdata\local\temp\zzbdr base_address = 0x11a0000 True 2
Fn
Get Filename - process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, file_name_orig = C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsAlloc, address_out = 0x74f9bea0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsSetValue, address_out = 0x74f92550 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = InitializeCriticalSectionEx, address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsGetValue, address_out = 0x74f870c0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f7ed00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75ea4ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75ea4b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75ea4b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75ea4b40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75efebc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitOnceExecuteOnce, address_out = 0x74f95550 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x75efeb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x75efeb90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x75efeb80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75ea6d30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x77bfd7c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x77bfb740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75ea6d70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x77bfc0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x77bfbe10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77c22b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77c152f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x75ea4510 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x74f9e260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75ea0db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleEx, address_out = 0x75ea43d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandle, address_out = 0x75eff110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x75eff1e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeConditionVariable, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WakeConditionVariable, address_out = 0x77c88c50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll address_out = 0x77c18a90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableCS, address_out = 0x7500fca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSRWLock, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AcquireSRWLockExclusive, address_out = 0x77bf58e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TryAcquireSRWLockExclusive, address_out = 0x77c72ce0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseSRWLockExclusive, address_out = 0x77bf83a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableSRW, address_out = 0x7500fcf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWork, address_out = 0x75ea6db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SubmitThreadpoolWork, address_out = 0x77bfeb00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWork, address_out = 0x77bfed50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x75ea7050 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x75ea7190 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x75ea7480 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateHardLinkW, address_out = 0x75ea44f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySection, address_out = 0x77c22220 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmStartSession, address_out = 0x744f7930 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmRegisterResources, address_out = 0x744f7660 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmGetList, address_out = 0x744f74f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtOpenFile, address_out = 0x77c22040 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtClose, address_out = 0x77c21de0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtReadFile, address_out = 0x77c21d50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtWriteFile, address_out = 0x77c21d70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitUnicodeString, address_out = 0x77c242f0 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x74f6b830 True 1
Fn
Map SM-zzbdrimp process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, desired_access = FILE_MAP_WRITE True 1
Fn
User (5)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
Lookup Privilege privilege = SeRestorePrivilege, luid = 18 True 1
Fn
Lookup Privilege privilege = SeLockMemoryPrivilege, luid = 4 True 1
Fn
Lookup Privilege privilege = SeCreateGlobalPrivilege, luid = 30 True 1
Fn
System (39)
»
Operation Additional Information Success Count Logfile
Get Time type = Performance Ctr, time = 13050924852 True 1
Fn
Get Time type = Performance Ctr, time = 14379333666 True 1
Fn
Get Time type = System Time True 18
Fn
Get Time type = Performance Ctr, time = 14628324217 True 1
Fn
Get Time type = Performance Ctr, time = 14663981550 True 1
Fn
Get Time type = Performance Ctr, time = 15272037550 True 1
Fn
Get Time type = Performance Ctr, time = 15306874349 True 1
Fn
Get Time type = Performance Ctr, time = 15465890661 True 1
Fn
Get Time type = Performance Ctr, time = 15506400736 True 1
Fn
Get Time type = Performance Ctr, time = 15590653459 True 1
Fn
Get Time type = Performance Ctr, time = 15724943517 True 1
Fn
Get Time type = Performance Ctr, time = 15803062546 True 1
Fn
Get Time type = Performance Ctr, time = 15861196321 True 1
Fn
Get Time type = Performance Ctr, time = 15914413331 True 1
Fn
Get Time type = Performance Ctr, time = 16454045572 True 1
Fn
Get Time type = Performance Ctr, time = 16493556702 True 1
Fn
Get Time type = Performance Ctr, time = 16563828154 True 1
Fn
Get Time type = Performance Ctr, time = 17132090559 True 1
Fn
Get Time type = Performance Ctr, time = 17471415454 True 1
Fn
Get Time type = Performance Ctr, time = 17638889911 True 1
Fn
Get Info type = Hardware Information True 2
Fn
Mutex (2019)
»
Operation Additional Information Success Count Logfile
Open mutex_name = MX-zzbdrimp, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Release mutex_name = MX-zzbdrimp True 2018
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Debug (9)
»
Operation Process Additional Information Success Count Logfile
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1029\LocalizedData.xml True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1033\LocalizedData.xml True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1043\LocalizedData.xml True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1041\LocalizedData.xml True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1031\LocalizedData.xml True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\2070\LocalizedData.xml True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1037\LocalizedData.xml True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x64.msu True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\Fonts\jpn_boot.ttf True 1
Fn
Process #7: zzbdrimp5619.exe
2213 0
»
Information Value
ID #7
File Name c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe
Command Line C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:00:37, Reason: Child Process
Unmonitor End Time: 00:01:27, Reason: Self Terminated
Monitor Duration 00:00:49
OS Process Information
»
Information Value
PID 0xdb4
Parent PID 0x4e4 (c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A88
0x D44
0x F88
0x 738
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\588bce7c90097ed212\1049\LocalizedData.xml.locked 79.72 KB MD5: 24688cb5f8891709f6459e3a12ca243c
SHA1: 6df2f267c985828fe5181ac73fc2461528ea72cf
SHA256: fa3b60819a23169467277152de64083300dada373539b9726563686d8a0a957a
SSDeep: 1536:kXIRRiuX9qJGyBLjRNkFaTaXN43+i8bKNPZ1275ghgF6zryWJlyKZ3ZnOK:kXeiuX4gwLdM9X3i8bKpc5g/zryWJlys 		False
...
C:\588bce7c90097ed212\1046\LocalizedData.xml.locked 78.99 KB MD5: 1edaad5d067b17b019b1acd526ab0481
SHA1: 456b931b86c5164ed70a86bfa2e8a29ebb2c119f
SHA256: ede2a0e030adeafff0efec390729a7b907af69e534f63288c81540e25265d9f5
SSDeep: 1536:xB1sajh8YPjK0HTAw7DpscxTZwPpIVlosGdCaJXf/mLGc7RqHI:xbfPm0HTTfdwmTGEUHmLGJI 		False
...
C:\588bce7c90097ed212\1032\LocalizedData.xml.locked 84.41 KB MD5: 4be8f479b9eb2c621c579c052a5cb41a
SHA1: 27efa77cb108865148f1a73e400b62aff63bd56d
SHA256: b723ab345cb0ce9ce63d832be073341bbe1ed2f9b3244838a925f82bc5957a57
SSDeep: 1536:NlTYg7K1AnM5G+Ib2SZIvtgL2qDVZtnTxEWjIDBQMCxovY93sE2SKnQ1Er5V5M:rTJ7aEDhK1gLPZDTy5DwSGiHPtM 		False
...
C:\588bce7c90097ed212\Extended\Parameterinfo.xml.locked 91.27 KB MD5: 3786fb3e70d55ee03e11f565a6afde7b
SHA1: f86fb44e15376484735019759551c4527260e32b
SHA256: e0aaa3bc6344f60803c3f8391ec9d31550f60ac775efdddb186667fa97ca46db
SSDeep: 1536:DQFT+lV57ZwG79g1TLP50TtvVE80bjoGKP2yp0RNkeiQ2VJSJsmMzFa:HVFZw//PmSnqZpgNklJasmMzFa 		False
...
C:\588bce7c90097ed212\1038\LocalizedData.xml.locked 84.56 KB MD5: 7cc4ebd6a20f0410eb36f0e8debe1527
SHA1: 653cb2ccece6a5c439c660a92e0c06e50725b81d
SHA256: e230607e2cb88f972d9b5218f97b036e3cbff28901376429632d317ca0bbb321
SSDeep: 1536:yQrL01RDFwW0zcjcqC8xNgN3dMKnGj9GrPL23E3BWf6Odw35hDnV7ZNFYGiFCyoN:3X01xyncjcl8vg/jQGP2sofpdw3rJ9bL 		False
...
C:\588bce7c90097ed212\1053\LocalizedData.xml.locked 76.00 KB MD5: 0d4e62e764c57080a9d80a2d550518be
SHA1: 4edcd2eb89f2d8fb6b588aa74f15d42b3d5c0216
SHA256: 1bb03169600ea90390db13ec1bad60927c3f61be219b298f7b159ee99df25d2d
SSDeep: 1536:Gm3C2aobCNj10+N5TlHCTcMIah7kUA+fLZl1XNRG3CxZTOkoeumHlZXi5DgJX:GmS2I1005TMTnIapFA+DDdiyxZTOR2Xn 		False
...
C:\Boot\Fonts\cht_boot.ttf.locked 3.70 MB MD5: 3949c1c630edaca6bbfade8a594d1c70
SHA1: d64e212f152cc73f67213f10fbb437583a12bbe3
SHA256: 9112fcac46d78ae73df2072268f258c8b83850b1b144f4ff8a45a0b95a439d45
SSDeep: 98304:pvkrV2V/CNUEKRfIslduS84JxW0TD8ayzxUK:pcAVpEGlduSHE0nNyOK 		False
...
C:\Boot\Fonts\chs_boot.ttf.locked 3.52 MB MD5: 1df25f65f585519e0300afd249238d8e
SHA1: 16766a5772604b324d0951ae00508af243809a5e
SHA256: 8b694849e3b78d6b4fb901975f310f02de786da4cdeef92a344525102b087fb3
SSDeep: 98304:T2B2W3XER4PMd5icPJCVGsMX4kRtsOauHR:CBR3G4PMdrhCVGsjkPsObHR 		False
...
C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x86.msu.locked 2.04 MB MD5: f16ebdcc6ce1d54710e69f2cf849efa1
SHA1: 95598770a339745a53d864f768f44dda0867fbed
SHA256: 6984caaaec516cda5e6e170049f9c237ae35ba4ee970c162422cee9a5341fc30
SSDeep: 49152:ijSPyouCYcA9zPMoVpEd/aRXk+jf+TdytteuYDN/wb3au9kK44:go1sjtV2d/a1k+jfBttefDuv9h9 		False
...
Host Behavior
File (303)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\588bce7c90097ed212\1049\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1049\LocalizedData.xml.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1046\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1046\LocalizedData.xml.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1032\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1032\LocalizedData.xml.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\Extended\Parameterinfo.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\Extended\Parameterinfo.xml.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1038\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1038\LocalizedData.xml.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1053\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1053\LocalizedData.xml.locked type = file_attributes False 1
Fn
Get Info C:\Boot\Fonts\cht_boot.ttf type = file_attributes True 3
Fn
Get Info C:\Boot\Fonts\cht_boot.ttf.locked type = file_attributes False 1
Fn
Get Info C:\Boot\Fonts\chs_boot.ttf type = file_attributes True 3
Fn
Get Info C:\Boot\Fonts\chs_boot.ttf.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x86.msu.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x86.msu type = file_attributes True 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Open \??\\C:\588bce7c90097ed212\1049\LocalizedData.xml.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1046\LocalizedData.xml.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1032\LocalizedData.xml.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\Extended\Parameterinfo.xml.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1038\LocalizedData.xml.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1053\LocalizedData.xml.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\Fonts\cht_boot.ttf.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\Fonts\chs_boot.ttf.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x86.msu.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open Mapping SM-zzbdrimp desired_access = FILE_MAP_COPY, FILE_MAP_WRITE True 1
Fn
Move C:\588bce7c90097ed212\1049\LocalizedData.xml.locked source_filename = C:\588bce7c90097ed212\1049\LocalizedData.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1046\LocalizedData.xml.locked source_filename = C:\588bce7c90097ed212\1046\LocalizedData.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1032\LocalizedData.xml.locked source_filename = C:\588bce7c90097ed212\1032\LocalizedData.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\Extended\Parameterinfo.xml.locked source_filename = C:\588bce7c90097ed212\Extended\Parameterinfo.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1038\LocalizedData.xml.locked source_filename = C:\588bce7c90097ed212\1038\LocalizedData.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1053\LocalizedData.xml.locked source_filename = C:\588bce7c90097ed212\1053\LocalizedData.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\Fonts\cht_boot.ttf.locked source_filename = C:\Boot\Fonts\cht_boot.ttf, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\Fonts\chs_boot.ttf.locked source_filename = C:\Boot\Fonts\chs_boot.ttf, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x86.msu.locked source_filename = C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x86.msu, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Read \??\\C:\588bce7c90097ed212\1049\LocalizedData.xml.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1049\LocalizedData.xml.locked size = 15946, size_out = 15946 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1046\LocalizedData.xml.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1046\LocalizedData.xml.locked size = 15202, size_out = 15202 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1032\LocalizedData.xml.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1032\LocalizedData.xml.locked size = 20748, size_out = 20748 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\Extended\Parameterinfo.xml.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\Extended\Parameterinfo.xml.locked size = 27778, size_out = 27778 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1038\LocalizedData.xml.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1038\LocalizedData.xml.locked size = 20906, size_out = 20906 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1053\LocalizedData.xml.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1053\LocalizedData.xml.locked size = 12144, size_out = 12144 True 1
Fn
Data
Read \??\\C:\Boot\Fonts\cht_boot.ttf.locked size = 65536, size_out = 65536 True 59
Fn
Data
Read \??\\C:\Boot\Fonts\cht_boot.ttf.locked size = 11786, size_out = 11786 True 1
Fn
Data
Read \??\\C:\Boot\Fonts\chs_boot.ttf.locked size = 65536, size_out = 65536 True 56
Fn
Data
Read \??\\C:\Boot\Fonts\chs_boot.ttf.locked size = 25703, size_out = 25703 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x86.msu.locked size = 65536, size_out = 65536 True 32
Fn
Data
Read \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x86.msu.locked size = 44281, size_out = 44281 True 1
Fn
Data
Read - size = 65536, size_out = 65536 True 2
Fn
Data
Write \??\\C:\588bce7c90097ed212\1049\LocalizedData.xml.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1049\LocalizedData.xml.locked offset = 65536, size = 15950 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1049\LocalizedData.xml.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1046\LocalizedData.xml.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1046\LocalizedData.xml.locked offset = 65536, size = 15206 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1046\LocalizedData.xml.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1032\LocalizedData.xml.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1032\LocalizedData.xml.locked offset = 65536, size = 20752 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1032\LocalizedData.xml.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Extended\Parameterinfo.xml.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Extended\Parameterinfo.xml.locked offset = 65536, size = 27782 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Extended\Parameterinfo.xml.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1038\LocalizedData.xml.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1038\LocalizedData.xml.locked offset = 65536, size = 20910 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1038\LocalizedData.xml.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1053\LocalizedData.xml.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1053\LocalizedData.xml.locked offset = 65536, size = 12148 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1053\LocalizedData.xml.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\cht_boot.ttf.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\cht_boot.ttf.locked offset = 65536, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\cht_boot.ttf.locked offset = 131072, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\cht_boot.ttf.locked offset = 196608, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\cht_boot.ttf.locked offset = 262144, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\cht_boot.ttf.locked offset = 327680, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\cht_boot.ttf.locked offset = 393216, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\cht_boot.ttf.locked offset = 458752, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\cht_boot.ttf.locked offset = 524288, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\cht_boot.ttf.locked offset = 589824, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\cht_boot.ttf.locked offset = 655360, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\cht_boot.ttf.locked offset = 720896, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\cht_boot.ttf.locked offset = 786432, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\cht_boot.ttf.locked offset = 851968, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\cht_boot.ttf.locked offset = 917504, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\cht_boot.ttf.locked offset = 983040, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\cht_boot.ttf.locked offset = 1048576, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\cht_boot.ttf.locked offset = 1114112, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\cht_boot.ttf.locked offset = 1179648, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\cht_boot.ttf.locked offset = 1245184, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\cht_boot.ttf.locked offset = 1310720, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\cht_boot.ttf.locked offset = 1376256, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\cht_boot.ttf.locked offset = 1441792, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\cht_boot.ttf.locked offset = 1507328, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\chs_boot.ttf.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\chs_boot.ttf.locked offset = 65536, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\chs_boot.ttf.locked offset = 131072, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\chs_boot.ttf.locked offset = 196608, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\chs_boot.ttf.locked offset = 262144, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\chs_boot.ttf.locked offset = 327680, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\chs_boot.ttf.locked offset = 393216, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\chs_boot.ttf.locked offset = 458752, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\chs_boot.ttf.locked offset = 524288, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\chs_boot.ttf.locked offset = 589824, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\chs_boot.ttf.locked offset = 655360, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\chs_boot.ttf.locked offset = 720896, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\chs_boot.ttf.locked offset = 786432, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\chs_boot.ttf.locked offset = 851968, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\chs_boot.ttf.locked offset = 917504, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\chs_boot.ttf.locked offset = 983040, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\chs_boot.ttf.locked offset = 1048576, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\chs_boot.ttf.locked offset = 1114112, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\chs_boot.ttf.locked offset = 1179648, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x86.msu.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x86.msu.locked offset = 65536, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x86.msu.locked offset = 131072, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x86.msu.locked offset = 196608, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x86.msu.locked offset = 262144, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x86.msu.locked offset = 327680, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x86.msu.locked offset = 393216, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x86.msu.locked offset = 458752, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x86.msu.locked offset = 524288, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x86.msu.locked offset = 589824, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x86.msu.locked offset = 655360, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x86.msu.locked offset = 720896, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x86.msu.locked offset = 786432, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x86.msu.locked offset = 851968, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x86.msu.locked offset = 917504, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x86.msu.locked offset = 983040, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x86.msu.locked offset = 1048576, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x86.msu.locked offset = 1114112, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x86.msu.locked offset = 1179648, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x86.msu.locked offset = 1245184, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x86.msu.locked offset = 1310720, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x86.msu.locked offset = 1376256, size = 65536 True 1
Fn
Data
Module (78)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load Rstrtmgr.dll base_address = 0x744f0000 True 1
Fn
Load ntdll.dll base_address = 0x77bb0000 True 1
Fn
Load api-ms-win-core-sysinfo-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load api-ms-win-appmodel-runtime-l1-1-1 base_address = 0x75ba0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75e90000 True 3
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77bb0000 True 1
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename - process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, file_name_orig = C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsAlloc, address_out = 0x74f9bea0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsSetValue, address_out = 0x74f92550 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = InitializeCriticalSectionEx, address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsGetValue, address_out = 0x74f870c0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f7ed00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75ea4ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75ea4b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75ea4b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75ea4b40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75efebc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitOnceExecuteOnce, address_out = 0x74f95550 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x75efeb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x75efeb90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x75efeb80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75ea6d30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x77bfd7c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x77bfb740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75ea6d70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x77bfc0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x77bfbe10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77c22b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77c152f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x75ea4510 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x74f9e260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75ea0db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleEx, address_out = 0x75ea43d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandle, address_out = 0x75eff110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x75eff1e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeConditionVariable, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WakeConditionVariable, address_out = 0x77c88c50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll address_out = 0x77c18a90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableCS, address_out = 0x7500fca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSRWLock, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AcquireSRWLockExclusive, address_out = 0x77bf58e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TryAcquireSRWLockExclusive, address_out = 0x77c72ce0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseSRWLockExclusive, address_out = 0x77bf83a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableSRW, address_out = 0x7500fcf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWork, address_out = 0x75ea6db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SubmitThreadpoolWork, address_out = 0x77bfeb00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWork, address_out = 0x77bfed50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x75ea7050 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x75ea7190 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x75ea7480 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateHardLinkW, address_out = 0x75ea44f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySection, address_out = 0x77c22220 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmStartSession, address_out = 0x744f7930 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmRegisterResources, address_out = 0x744f7660 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmGetList, address_out = 0x744f74f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtOpenFile, address_out = 0x77c22040 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtClose, address_out = 0x77c21de0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtReadFile, address_out = 0x77c21d50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtWriteFile, address_out = 0x77c21d70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitUnicodeString, address_out = 0x77c242f0 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x74f6b830 True 1
Fn
Get Address c:\windows\syswow64\kernel.appcore.dll function = GetCurrentPackageId, address_out = 0x75ba3510 True 1
Fn
Map SM-zzbdrimp process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, desired_access = FILE_MAP_WRITE True 1
Fn
User (5)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
Lookup Privilege privilege = SeRestorePrivilege, luid = 18 True 1
Fn
Lookup Privilege privilege = SeLockMemoryPrivilege, luid = 4 True 1
Fn
Lookup Privilege privilege = SeCreateGlobalPrivilege, luid = 30 True 1
Fn
System (37)
»
Operation Additional Information Success Count Logfile
Get Time type = Performance Ctr, time = 13047611655 True 1
Fn
Get Time type = Performance Ctr, time = 14377607566 True 1
Fn
Get Time type = System Time True 17
Fn
Get Time type = Performance Ctr, time = 14473716344 True 1
Fn
Get Time type = Performance Ctr, time = 14502842435 True 1
Fn
Get Time type = Performance Ctr, time = 15267190796 True 1
Fn
Get Time type = Performance Ctr, time = 15318464310 True 1
Fn
Get Time type = Performance Ctr, time = 15463426983 True 1
Fn
Get Time type = Performance Ctr, time = 15542494245 True 1
Fn
Get Time type = Performance Ctr, time = 15589758379 True 1
Fn
Get Time type = Performance Ctr, time = 15783448556 True 1
Fn
Get Time type = Performance Ctr, time = 15840048382 True 1
Fn
Get Time type = Performance Ctr, time = 16422722514 True 1
Fn
Get Time type = Performance Ctr, time = 16468960415 True 1
Fn
Get Time type = Performance Ctr, time = 16608982392 True 1
Fn
Get Time type = Performance Ctr, time = 17047852421 True 1
Fn
Get Time type = Performance Ctr, time = 17324178699 True 1
Fn
Get Time type = Performance Ctr, time = 17510380449 True 1
Fn
Get Time type = Performance Ctr, time = 17632765844 True 1
Fn
Get Info type = Hardware Information True 2
Fn
Mutex (1764)
»
Operation Additional Information Success Count Logfile
Open mutex_name = MX-zzbdrimp, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Release mutex_name = MX-zzbdrimp True 1763
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Debug (7)
»
Operation Process Additional Information Success Count Logfile
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1049\LocalizedData.xml True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1046\LocalizedData.xml True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1032\LocalizedData.xml True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\Extended\Parameterinfo.xml True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1038\LocalizedData.xml True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1053\LocalizedData.xml True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\Fonts\cht_boot.ttf True 1
Fn
Process #8: zzbdrimp5619.exe
2840 0
»
Information Value
ID #8
File Name c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe
Command Line C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:00:37, Reason: Child Process
Unmonitor End Time: 00:02:39, Reason: Self Terminated
Monitor Duration 00:02:01
OS Process Information
»
Information Value
PID 0xe00
Parent PID 0x4e4 (c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x AC4
0x 2D4
0x F58
0x 704
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Boot\zh-TW\bootmgr.exe.mui.locked 62.49 KB MD5: 7bd7e1f032a222c3e55fa4bd3db38c47
SHA1: 385685d9a0794bba8f46d0744d7b1578a136b25b
SHA256: c949fa5ef906bf1041df34e979aa9dbe7f66746042b39e9b8adcffa5b1460fbc
SSDeep: 1536:sL/d6aqCl/1LQL/iPXEIqPSAVks4GZAPctPOKSu:4/P7hY/2XEIU3Vki 		False
...
C:\588bce7c90097ed212\1036\LocalizedData.xml.locked 81.16 KB MD5: 33491937002243eb17a5e6ec70dd9c1b
SHA1: 10602d61916b1bf1fd59f7fc6c7936d1c66874f9
SHA256: e99143e7c6b3ed28139cfb522ea4b6bd54dea5a69840b691e6fc44b02f53f514
SSDeep: 1536:TPEyaC+mz7kKiS2GnAGAVod6ebYjIAl+maCHBmttiiskg1xDzWv2acJgjAHB:TP4m2Yuo6gAl+KEttiisZPetcJgjK 		False
...
C:\588bce7c90097ed212\Strings.xml.locked 13.90 KB MD5: af2aace707554526756144e6880c6fc4
SHA1: 5aa793d59818a949a606552c46bdb05c9d1b36e4
SHA256: 875972973af30522c536c9583d7e0c822dceeb68480d303aff052471d18ef671
SSDeep: 384:y8nnNOYoSV5eduZBA77NAYteMAiiFRBqm/y402:3nQYoSzeduZBW7+YtenJKe 		False
...
C:\588bce7c90097ed212\ParameterInfo.xml.locked 265.81 KB MD5: c6473ba5b7e2309c15d808ff066684de
SHA1: 2de6cda5f6620bb857c800c1e8b56e19ae8d93c7
SHA256: 224133c611a3a5e135ed88286e0cea6596d9a7b8df10a908a64558025f3d0afa
SSDeep: 6144:QeEuc8zdULq59s5SJCvO8/Z25DqbbRPodjz6PwYfxWEzjJS3dEBa2kjZf:RJzmLq5ehvzM5eHpyGPwYFLBMZf 		False
...
C:\588bce7c90097ed212\1040\LocalizedData.xml.locked 78.33 KB MD5: fc93abdefb5f18cdbe35c074c5ff56bc
SHA1: b1c1557b310ab055150414b543ef9051da4640e7
SHA256: a032bbefb832de9699cec00ab7d3aea5d96865167c551e77d9bac48a14072fd6
SSDeep: 1536:6HHcJiuSEpDOcueNkRWl4A+x51lhjzWqgLnQmZTyatujiAmsmtxDO0vJ:6HHcl1acuexl4A+T1lAQmZT1ujiAzmtV 		False
...
C:\588bce7c90097ed212\1030\LocalizedData.xml.locked 76.07 KB MD5: 8b0351bbb83b2965ba92201289a25213
SHA1: 3854292e7f7d3c27a3b0658bead55ba863e0c7e1
SHA256: b67bd63dc20cb49d55a1d2f0eec9176770ba82ea9bf0a7bdc63ed20a59cd10f9
SSDeep: 1536:o1H42meqEyapWpFmg1hb5WM8Kfq16CVBDmWK+pv+PJPmS3pKmzLr11eSQGgCGryF:WH42meqEyKWjmgdWMdS6UNmX+wJPRpKc 		False
...
C:\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx.locked 68.14 KB MD5: bce11f4949c46e482d5544503e376e3f
SHA1: 4ad4b4e06f6aa8f8d20033242849fdc205ab438f
SHA256: a3f4afd57faff9436112b6f04600a734ea912aee85a78dd8cabedaa744318110
SSDeep: 1536:RicX++xLKt9MHWRVsW6S+Tr1H7mo/ALgJ2Klr:R+KO7sWsio/AdMr 		False
...
C:\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.locked 68.14 KB MD5: 72e433a2e38afa7b68d3ccce32bfe111
SHA1: 08cd34dd26730ed68560b0003e68ec8c2b358fa9
SHA256: 701de0d244741489bc86b3bb48fa0d58979f39e25da714959dc469821e57549e
SSDeep: 1536:MSIEHh0tDdcYW9mxZ3rp6bEFNlb8CKIRP6ieBUdqxqObk9INpOcxHe:x3h0tDdcYHxSbEFfb8CIBUdqoObvNe 		False
...
C:\588bce7c90097ed212\1049\eula.rtf.locked 53.32 KB MD5: 2291594db6af7496628799cee0972e0c
SHA1: d1c59aa11c23bbec99b53a3bbe20953b2ced7f15
SHA256: b824ce65cc688fee0762370d0726a02111d87e6ee9e4d68842ffce2c0e1fe323
SSDeep: 1536:15LzYSBHv1B9ToDpsK1LJfSY/JyBICBSPEQngBb:15DBPpUj1N3/gIR+b 		False
...
C:\588bce7c90097ed212\netfx_Core.mzz.locked 10.00 MB MD5: a0fcf69d07a5865b6ee8426bcbdd19db
SHA1: 27db3f1b54a5d54790a10fc8c1c717f6446a51b2
SHA256: 54e4d5a428ed96b5b6a928bf806f5d2a173df2911ed41830e3ca1f713d1a01c1
SSDeep: 196608:jgXn3FLHgFmE9t+h18uDTUgby7NTh0Pb4upG2fX9sDzI0EHi2UJSyU9bTEsao1wT:ja562Gu0gbEmlLXO/qXkSpV51wXpG5g 		False
...
C:\Boot\Fonts\wgl4_boot.ttf.locked 48.08 KB MD5: af23eea0481257fccb9cdfaefdb4db9a
SHA1: 5c8132a837bf7c4c42aa73b72a1d42de7c98f4a7
SHA256: ba4f4714c846d3ebc82b118121dd9e8f1f5ced0977899ea5a26e5e00763dbb68
SSDeep: 1536:34C1vcGSJ9+yRTjB1BwxRCIEejook7skBSDOlOhU:3zv9SjjB18RrNjookYUWOlOC 		False
...
Host Behavior
File (574)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\588bce7c90097ed212\1036\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1036\LocalizedData.xml.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\Strings.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\Strings.xml.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\ParameterInfo.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\ParameterInfo.xml.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1040\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1040\LocalizedData.xml.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1030\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1030\LocalizedData.xml.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\netfx_Core.mzz type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\netfx_Core.mzz.locked type = file_attributes False 1
Fn
Get Info C:\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx.locked type = file_attributes False 1
Fn
Get Info C:\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.locked type = file_attributes False 1
Fn
Get Info C:\Boot\zh-TW\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\zh-TW\bootmgr.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1049\eula.rtf type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1049\eula.rtf.locked type = file_attributes False 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Open \??\\C:\588bce7c90097ed212\1036\LocalizedData.xml.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\Strings.xml.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\ParameterInfo.xml.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1040\LocalizedData.xml.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1030\LocalizedData.xml.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\zh-TW\bootmgr.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1049\eula.rtf.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open Mapping SM-zzbdrimp desired_access = FILE_MAP_COPY, FILE_MAP_WRITE True 1
Fn
Move C:\588bce7c90097ed212\1036\LocalizedData.xml.locked source_filename = C:\588bce7c90097ed212\1036\LocalizedData.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\Strings.xml.locked source_filename = C:\588bce7c90097ed212\Strings.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\ParameterInfo.xml.locked source_filename = C:\588bce7c90097ed212\ParameterInfo.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1040\LocalizedData.xml.locked source_filename = C:\588bce7c90097ed212\1040\LocalizedData.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1030\LocalizedData.xml.locked source_filename = C:\588bce7c90097ed212\1030\LocalizedData.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\netfx_Core.mzz.locked source_filename = C:\588bce7c90097ed212\netfx_Core.mzz, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx.locked source_filename = C:\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.locked source_filename = C:\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\zh-TW\bootmgr.exe.mui.locked source_filename = C:\Boot\zh-TW\bootmgr.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1049\eula.rtf.locked source_filename = C:\588bce7c90097ed212\1049\eula.rtf, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\Fonts\wgl4_boot.ttf.locked source_filename = C:\Boot\Fonts\wgl4_boot.ttf, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Read \??\\C:\588bce7c90097ed212\1036\LocalizedData.xml.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1036\LocalizedData.xml.locked size = 17426, size_out = 17426 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\Strings.xml.locked size = 14084, size_out = 14084 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\ParameterInfo.xml.locked size = 65536, size_out = 65536 True 4
Fn
Data
Read \??\\C:\588bce7c90097ed212\ParameterInfo.xml.locked size = 9902, size_out = 9902 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1040\LocalizedData.xml.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1040\LocalizedData.xml.locked size = 14524, size_out = 14524 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1030\LocalizedData.xml.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1030\LocalizedData.xml.locked size = 12212, size_out = 12212 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked size = 65536, size_out = 65536 True 355
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx.locked size = 4096, size_out = 4096 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.locked size = 4096, size_out = 4096 True 1
Fn
Data
Read \??\\C:\Boot\zh-TW\bootmgr.exe.mui.locked size = 63840, size_out = 63840 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1049\eula.rtf.locked size = 54456, size_out = 54456 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1036\LocalizedData.xml.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1036\LocalizedData.xml.locked offset = 65536, size = 17430 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1036\LocalizedData.xml.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Strings.xml.locked offset = 0, size = 14088 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Strings.xml.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\ParameterInfo.xml.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\ParameterInfo.xml.locked offset = 65536, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\ParameterInfo.xml.locked offset = 131072, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\ParameterInfo.xml.locked offset = 196608, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\ParameterInfo.xml.locked offset = 262144, size = 9906 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\ParameterInfo.xml.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1040\LocalizedData.xml.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1040\LocalizedData.xml.locked offset = 65536, size = 14528 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1040\LocalizedData.xml.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1030\LocalizedData.xml.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1030\LocalizedData.xml.locked offset = 65536, size = 12216 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1030\LocalizedData.xml.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 65536, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 131072, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 196608, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 262144, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 327680, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 393216, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 458752, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 524288, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 589824, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 655360, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 720896, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 786432, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 851968, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 917504, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 983040, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 1048576, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 1114112, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 1179648, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 1245184, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 1310720, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 1376256, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 3145728, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 3211264, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 3276800, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 3342336, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 3407872, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 3473408, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 3538944, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 3604480, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 3670016, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 3735552, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 3801088, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 3866624, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 3932160, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 3997696, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 4063232, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 4128768, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 4194304, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 4259840, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 4325376, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 4390912, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 4456448, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 4521984, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 4587520, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 4653056, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 4718592, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 4784128, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 4849664, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 4915200, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 4980736, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 5046272, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 5111808, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 5177344, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 5242880, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 5308416, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 5373952, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 5439488, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 5505024, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 5570560, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 5636096, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 5701632, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 5767168, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 5832704, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 5898240, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 8519680, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 8585216, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 8650752, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 8716288, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 8781824, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 8847360, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 8912896, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 8978432, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 9043968, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 9109504, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 9175040, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 9240576, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 9306112, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 9371648, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 9437184, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 9502720, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 9568256, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 9633792, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 9699328, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 9764864, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 9830400, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 9895936, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 16384000, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 16449536, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 16515072, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 16580608, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 16646144, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 16711680, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 16777216, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 16842752, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 16908288, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 16973824, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 17039360, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 17104896, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 17170432, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 17235968, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 17301504, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 17367040, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 17432576, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 17498112, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 17563648, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 17629184, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 17694720, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\netfx_Core.mzz.locked offset = 17760256, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx.locked offset = 65536, size = 4100 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx.locked size = 144 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.locked offset = 65536, size = 4100 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\zh-TW\bootmgr.exe.mui.locked offset = 0, size = 63844 True 1
Fn
Data
Write \??\\C:\Boot\zh-TW\bootmgr.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1049\eula.rtf.locked offset = 0, size = 54460 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1049\eula.rtf.locked size = 144 True 1
Fn
Data
Module (75)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load Rstrtmgr.dll base_address = 0x744f0000 True 1
Fn
Load ntdll.dll base_address = 0x77bb0000 True 1
Fn
Load api-ms-win-core-sysinfo-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75e90000 True 3
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77bb0000 True 1
Fn
Get Filename - process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, file_name_orig = C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsAlloc, address_out = 0x74f9bea0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsSetValue, address_out = 0x74f92550 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = InitializeCriticalSectionEx, address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsGetValue, address_out = 0x74f870c0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f7ed00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75ea4ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75ea4b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75ea4b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75ea4b40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75efebc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitOnceExecuteOnce, address_out = 0x74f95550 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x75efeb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x75efeb90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x75efeb80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75ea6d30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x77bfd7c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x77bfb740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75ea6d70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x77bfc0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x77bfbe10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77c22b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77c152f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x75ea4510 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x74f9e260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75ea0db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleEx, address_out = 0x75ea43d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandle, address_out = 0x75eff110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x75eff1e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeConditionVariable, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WakeConditionVariable, address_out = 0x77c88c50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll address_out = 0x77c18a90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableCS, address_out = 0x7500fca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSRWLock, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AcquireSRWLockExclusive, address_out = 0x77bf58e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TryAcquireSRWLockExclusive, address_out = 0x77c72ce0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseSRWLockExclusive, address_out = 0x77bf83a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableSRW, address_out = 0x7500fcf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWork, address_out = 0x75ea6db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SubmitThreadpoolWork, address_out = 0x77bfeb00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWork, address_out = 0x77bfed50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x75ea7050 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x75ea7190 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x75ea7480 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateHardLinkW, address_out = 0x75ea44f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySection, address_out = 0x77c22220 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmStartSession, address_out = 0x744f7930 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmRegisterResources, address_out = 0x744f7660 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmGetList, address_out = 0x744f74f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtOpenFile, address_out = 0x77c22040 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtClose, address_out = 0x77c21de0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtReadFile, address_out = 0x77c21d50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtWriteFile, address_out = 0x77c21d70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitUnicodeString, address_out = 0x77c242f0 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x74f6b830 True 1
Fn
Map SM-zzbdrimp process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, desired_access = FILE_MAP_WRITE True 1
Fn
User (5)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
Lookup Privilege privilege = SeRestorePrivilege, luid = 18 True 1
Fn
Lookup Privilege privilege = SeLockMemoryPrivilege, luid = 4 True 1
Fn
Lookup Privilege privilege = SeCreateGlobalPrivilege, luid = 30 True 1
Fn
System (43)
»
Operation Additional Information Success Count Logfile
Get Time type = Performance Ctr, time = 13085656699 True 1
Fn
Get Time type = Performance Ctr, time = 14382322650 True 1
Fn
Get Time type = System Time True 20
Fn
Get Time type = Performance Ctr, time = 14582939761 True 1
Fn
Get Time type = Performance Ctr, time = 14644274740 True 1
Fn
Get Time type = Performance Ctr, time = 15225168377 True 1
Fn
Get Time type = Performance Ctr, time = 15261189507 True 1
Fn
Get Time type = Performance Ctr, time = 15388160894 True 1
Fn
Get Time type = Performance Ctr, time = 15416887921 True 1
Fn
Get Time type = Performance Ctr, time = 15591798092 True 1
Fn
Get Time type = Performance Ctr, time = 15771316181 True 1
Fn
Get Time type = Performance Ctr, time = 15816601747 True 1
Fn
Get Time type = Performance Ctr, time = 16476981467 True 1
Fn
Get Time type = Performance Ctr, time = 22938188760 True 1
Fn
Get Time type = Performance Ctr, time = 22973341965 True 1
Fn
Get Time type = Performance Ctr, time = 23036649738 True 1
Fn
Get Time type = Performance Ctr, time = 23164334009 True 1
Fn
Get Time type = Performance Ctr, time = 24659285767 True 1
Fn
Get Time type = Performance Ctr, time = 24674936329 True 1
Fn
Get Time type = Performance Ctr, time = 24715272630 True 1
Fn
Get Time type = Performance Ctr, time = 24731172280 True 1
Fn
Get Time type = Performance Ctr, time = 24834514436 True 1
Fn
Get Info type = Hardware Information True 2
Fn
Mutex (2115)
»
Operation Additional Information Success Count Logfile
Open mutex_name = MX-zzbdrimp, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Release mutex_name = MX-zzbdrimp True 2114
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Debug (9)
»
Operation Process Additional Information Success Count Logfile
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1036\LocalizedData.xml True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\Strings.xml True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\ParameterInfo.xml True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1040\LocalizedData.xml True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1030\LocalizedData.xml True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\netfx_Core.mzz True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\zh-TW\bootmgr.exe.mui True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1049\eula.rtf True 1
Fn
Process #9: zzbdrimp5619.exe
2234 0
»
Information Value
ID #9
File Name c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe
Command Line C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:00:37, Reason: Child Process
Unmonitor End Time: 00:01:25, Reason: Self Terminated
Monitor Duration 00:00:47
OS Process Information
»
Information Value
PID 0xbfc
Parent PID 0x4e4 (c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 654
0x 6C8
0x E88
0x 754
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\588bce7c90097ed212\1035\LocalizedData.xml.locked 75.36 KB MD5: a01e82d9b401d5d2a3d6573f3fd21c78
SHA1: 0275467fe16ec200e6fae9a17dcb5c02296769c1
SHA256: 906c9cf141af4e2c8ca5c61e9c306da9a9737a91bfdcc75f9d4987939e1109be
SSDeep: 1536:FMaMNFMU76q+alZqlUv9B6ChfqVwoJo7BogsYY+4PftJ7qDy:FhMDMu6W9ffqVly+h+AVJ+Dy 		False
...
C:\588bce7c90097ed212\1045\LocalizedData.xml.locked 80.59 KB MD5: cc01c841d4dca719904ad5df11ed2e9f
SHA1: 223eeb4e1a69e1a239233586d4053f5b6c588102
SHA256: a4d52af905292382815f4088dfc32c9d57570dd9f5233ee049342914a615900f
SSDeep: 1536:/Dt6iNXCG46DmDbi2SWSGcn06hM6si9JoPGQQfRx6r+Xwb:pTSN6DmDbi21U06hNsi2GVfRs+o 		False
...
C:\588bce7c90097ed212\1042\LocalizedData.xml.locked 63.85 KB MD5: 5608d3bf4f4f17efc774889223a1ff41
SHA1: 4d71b97a165a4be971126e5eed835c496a76846b
SHA256: 753b0ed7710d91c61a8d8f1f42586eeffcbb248f110e4550673eba4997e5a893
SSDeep: 1536:frkWRalvQhUo7W/X3JVcbgNlTgvVEnDNMCIel2E:TkWRair7W/X3JVwWe+hMCIi7 		False
...
C:\588bce7c90097ed212\Extended\UiInfo.xml.locked 38.28 KB MD5: 8b954c30e25a0925da6804f39b2d3173
SHA1: 09fcd9dc028885c6f2faf755643dc372d2951d41
SHA256: 39de200bf6a88c1c0316aabbab0de38a10625695bbb2eac9606c8900b426636f
SSDeep: 768:4gsnoTs39SE2zpayJooLY+gzw3mTTJuLG89NksGHywSQ3iDPBEXX:4gu9SE8ioLY+iTTJu8sGS0SDPBEX 		False
...
C:\588bce7c90097ed212\Client\UiInfo.xml.locked 38.27 KB MD5: 079b2b512c08a368af9105a19b3a2b58
SHA1: 112285fde5a98df407b8bb219b398ba24488fa4a
SHA256: 512e81318d7c0173e8cef87bfbcca51d064a1eb622f80e2b242e5fd289bfe20f
SSDeep: 768:yN3Jzg3/RIJT0RwyIxsJ5Uc31GtE6HF4x5SgVQB2+U/Tk8TD8OhF/m:azE/0T0RwyhA+1B6ajSQQ4Y8Td//m 		False
...
C:\588bce7c90097ed212\3082\LocalizedData.xml.locked 78.27 KB MD5: 5add446f0b53013be98fb70a85dcf2d8
SHA1: 0deb9c7f8735cfb3db64c78fcf5c20e60c073590
SHA256: 59d60289e865af8b4371cbb6e4eebd3ca946efd2be764a571a4020fc6459cbbb
SSDeep: 1536:NYGMwFhBibY4eTfxjfD1ulL32RAliqjHfBwUSQwLTmHs3C8gCP:NYGM0YY4kZXc6RAlvqxQwL6HsS8D 		False
...
C:\588bce7c90097ed212\1055\LocalizedData.xml.locked 75.16 KB MD5: 20b80aaf52d9fcd077836ee779fb4cb3
SHA1: 34bb86c9dff6e9e11fce577616cea4c2f9ac7d3e
SHA256: fada9e8e82e163a4cfb4655e2adf6879f130b863aa68d558f1c84049ab8bc149
SSDeep: 1536:TcXOpA1SsGy9GqydU2WeuZTi8KOzaz7mt2MsrKpb+:TcXUKGdF8KrCQMsrIS 		False
...
C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x64.msu.locked 4.86 MB MD5: e185214bb1119ad0ec506421301755de
SHA1: 2786598eb8d472640ba4c4749d64432e64f2e37f
SHA256: 766c603a90b57842a1dbc5feb46c819be718e7bb9c33d790b18a142f36b0bfec
SSDeep: 98304:S6+8eXkmZfFN4EQ5VJ76qAWdounjnVFaYczc9UI+isMfCDx//u6ye1lo06EW+b4m:S6cXkmtf4EgVJ76qAWdjnjjaX8yzt3yo 		False
...
C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x86.msu.locked 2.09 MB MD5: 85cd2c82ae7e1c4407c47642324a82c3
SHA1: 76fb0de7178388a9796b3334c45cc49407a7a117
SHA256: 855512900aed33edca5817e1b2c825788699f19314698d0385f979abc51c3dee
SSDeep: 49152:TY573Z4y+QZMxJ4oviicwMQbd8MZbJDDS30pNibDe5tdJ:s5eyVMxDviicId8MZbRDSDDqHJ 		False
...
C:\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.locked 2.07 MB MD5: 967d4220e827ccd52aec90bba3a69ce9
SHA1: bfec072e368347ccf039589fea45d8f11118b50e
SHA256: 42d77992896422f54a1e44782abc2e62520833978f04e9553a8898bfe6978ac4
SSDeep: 49152:Whp3u1Dl+5akle3aPZYG+KFM3XttX/d0nwxDVx+CTf:2p3swPYs5S3XrenWDVR 		False
...
Host Behavior
File (321)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\588bce7c90097ed212\1035\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1035\LocalizedData.xml.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1045\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1045\LocalizedData.xml.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1042\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1042\LocalizedData.xml.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\Extended\UiInfo.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\Extended\UiInfo.xml.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\Client\UiInfo.xml.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\Client\UiInfo.xml type = file_attributes True 1
Fn
Get Info C:\588bce7c90097ed212\3082\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\3082\LocalizedData.xml.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1055\LocalizedData.xml type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1055\LocalizedData.xml.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x64.msu type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x64.msu.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x86.msu type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x86.msu.locked type = file_attributes False 1
Fn
Get Info C:\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.locked type = file_attributes False 1
Fn
Get Info C:\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx type = file_attributes True 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Open \??\\C:\588bce7c90097ed212\1035\LocalizedData.xml.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1045\LocalizedData.xml.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1042\LocalizedData.xml.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\Extended\UiInfo.xml.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\Client\UiInfo.xml.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\3082\LocalizedData.xml.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1055\LocalizedData.xml.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x64.msu.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x86.msu.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open Mapping SM-zzbdrimp desired_access = FILE_MAP_COPY, FILE_MAP_WRITE True 1
Fn
Move C:\588bce7c90097ed212\1035\LocalizedData.xml.locked source_filename = C:\588bce7c90097ed212\1035\LocalizedData.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1045\LocalizedData.xml.locked source_filename = C:\588bce7c90097ed212\1045\LocalizedData.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1042\LocalizedData.xml.locked source_filename = C:\588bce7c90097ed212\1042\LocalizedData.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\Extended\UiInfo.xml.locked source_filename = C:\588bce7c90097ed212\Extended\UiInfo.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\Client\UiInfo.xml.locked source_filename = C:\588bce7c90097ed212\Client\UiInfo.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\3082\LocalizedData.xml.locked source_filename = C:\588bce7c90097ed212\3082\LocalizedData.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1055\LocalizedData.xml.locked source_filename = C:\588bce7c90097ed212\1055\LocalizedData.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x64.msu.locked source_filename = C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x64.msu, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x86.msu.locked source_filename = C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x86.msu, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.locked source_filename = C:\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Read \??\\C:\588bce7c90097ed212\1035\LocalizedData.xml.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1035\LocalizedData.xml.locked size = 11486, size_out = 11486 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1045\LocalizedData.xml.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1045\LocalizedData.xml.locked size = 16838, size_out = 16838 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1042\LocalizedData.xml.locked size = 65238, size_out = 65238 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\Extended\UiInfo.xml.locked size = 39050, size_out = 39050 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\Client\UiInfo.xml.locked size = 39042, size_out = 39042 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\3082\LocalizedData.xml.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\3082\LocalizedData.xml.locked size = 14460, size_out = 14460 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1055\LocalizedData.xml.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1055\LocalizedData.xml.locked size = 11282, size_out = 11282 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x64.msu.locked size = 65536, size_out = 65536 True 77
Fn
Data
Read \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x64.msu.locked size = 45518, size_out = 45518 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x86.msu.locked size = 65536, size_out = 65536 True 33
Fn
Data
Read \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x86.msu.locked size = 29984, size_out = 29984 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.locked size = 65536, size_out = 65536 True 33
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.locked size = 4096, size_out = 4096 True 1
Fn
Data
Read - size = 65536, size_out = 65536 True 17
Fn
Data
Read - size = 49152, size_out = 49152 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1035\LocalizedData.xml.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1035\LocalizedData.xml.locked offset = 65536, size = 11490 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1035\LocalizedData.xml.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1045\LocalizedData.xml.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1045\LocalizedData.xml.locked offset = 65536, size = 16842 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1045\LocalizedData.xml.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1042\LocalizedData.xml.locked offset = 0, size = 65242 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1042\LocalizedData.xml.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Extended\UiInfo.xml.locked offset = 0, size = 39054 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Extended\UiInfo.xml.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Client\UiInfo.xml.locked offset = 0, size = 39046 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Client\UiInfo.xml.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\3082\LocalizedData.xml.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\3082\LocalizedData.xml.locked offset = 65536, size = 14464 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\3082\LocalizedData.xml.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1055\LocalizedData.xml.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1055\LocalizedData.xml.locked offset = 65536, size = 11286 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1055\LocalizedData.xml.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x64.msu.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x64.msu.locked offset = 65536, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x64.msu.locked offset = 131072, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x64.msu.locked offset = 196608, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x64.msu.locked offset = 262144, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x64.msu.locked offset = 327680, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x64.msu.locked offset = 393216, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x64.msu.locked offset = 458752, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x64.msu.locked offset = 524288, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x64.msu.locked offset = 589824, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x64.msu.locked offset = 655360, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x64.msu.locked offset = 720896, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x64.msu.locked offset = 786432, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x64.msu.locked offset = 851968, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x64.msu.locked offset = 917504, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x64.msu.locked offset = 983040, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x64.msu.locked offset = 1048576, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x64.msu.locked offset = 1114112, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x64.msu.locked offset = 1179648, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x64.msu.locked offset = 1245184, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x64.msu.locked offset = 1310720, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x64.msu.locked offset = 1376256, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x64.msu.locked offset = 1441792, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x64.msu.locked offset = 1507328, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x64.msu.locked offset = 1572864, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x64.msu.locked offset = 1638400, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x64.msu.locked offset = 1703936, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x86.msu.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x86.msu.locked offset = 65536, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x86.msu.locked offset = 131072, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x86.msu.locked offset = 196608, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x86.msu.locked offset = 262144, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x86.msu.locked offset = 327680, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x86.msu.locked offset = 393216, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x86.msu.locked offset = 458752, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x86.msu.locked offset = 524288, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x86.msu.locked offset = 589824, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x86.msu.locked offset = 655360, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x86.msu.locked offset = 720896, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x86.msu.locked offset = 786432, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x86.msu.locked offset = 851968, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x86.msu.locked offset = 917504, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x86.msu.locked offset = 983040, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x86.msu.locked offset = 1048576, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x86.msu.locked offset = 1114112, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Windows6.0-KB956250-v6001-x86.msu.locked offset = 1179648, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.locked offset = 65536, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.locked offset = 131072, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.locked offset = 196608, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.locked offset = 262144, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.locked offset = 327680, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.locked offset = 393216, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.locked offset = 458752, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.locked offset = 524288, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.locked offset = 589824, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.locked offset = 655360, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.locked offset = 720896, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.locked offset = 786432, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.locked offset = 851968, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.locked offset = 917504, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.locked offset = 983040, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.locked offset = 1048576, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.locked offset = 1114112, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.locked offset = 1179648, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.locked offset = 1245184, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.locked offset = 1310720, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.locked offset = 1376256, size = 65536 True 1
Fn
Data
Module (78)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load Rstrtmgr.dll base_address = 0x744f0000 True 1
Fn
Load ntdll.dll base_address = 0x77bb0000 True 1
Fn
Load api-ms-win-core-sysinfo-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load api-ms-win-appmodel-runtime-l1-1-1 base_address = 0x75ba0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75e90000 True 3
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77bb0000 True 1
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename - process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, file_name_orig = C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsAlloc, address_out = 0x74f9bea0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsSetValue, address_out = 0x74f92550 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = InitializeCriticalSectionEx, address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsGetValue, address_out = 0x74f870c0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f7ed00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75ea4ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75ea4b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75ea4b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75ea4b40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75efebc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitOnceExecuteOnce, address_out = 0x74f95550 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x75efeb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x75efeb90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x75efeb80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75ea6d30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x77bfd7c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x77bfb740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75ea6d70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x77bfc0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x77bfbe10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77c22b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77c152f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x75ea4510 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x74f9e260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75ea0db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleEx, address_out = 0x75ea43d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandle, address_out = 0x75eff110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x75eff1e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeConditionVariable, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WakeConditionVariable, address_out = 0x77c88c50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll address_out = 0x77c18a90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableCS, address_out = 0x7500fca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSRWLock, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AcquireSRWLockExclusive, address_out = 0x77bf58e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TryAcquireSRWLockExclusive, address_out = 0x77c72ce0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseSRWLockExclusive, address_out = 0x77bf83a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableSRW, address_out = 0x7500fcf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWork, address_out = 0x75ea6db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SubmitThreadpoolWork, address_out = 0x77bfeb00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWork, address_out = 0x77bfed50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x75ea7050 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x75ea7190 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x75ea7480 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateHardLinkW, address_out = 0x75ea44f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySection, address_out = 0x77c22220 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmStartSession, address_out = 0x744f7930 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmRegisterResources, address_out = 0x744f7660 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmGetList, address_out = 0x744f74f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtOpenFile, address_out = 0x77c22040 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtClose, address_out = 0x77c21de0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtReadFile, address_out = 0x77c21d50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtWriteFile, address_out = 0x77c21d70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitUnicodeString, address_out = 0x77c242f0 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x74f6b830 True 1
Fn
Get Address c:\windows\syswow64\kernel.appcore.dll function = GetCurrentPackageId, address_out = 0x75ba3510 True 1
Fn
Map SM-zzbdrimp process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, desired_access = FILE_MAP_WRITE True 1
Fn
User (5)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
Lookup Privilege privilege = SeRestorePrivilege, luid = 18 True 1
Fn
Lookup Privilege privilege = SeLockMemoryPrivilege, luid = 4 True 1
Fn
Lookup Privilege privilege = SeCreateGlobalPrivilege, luid = 30 True 1
Fn
System (39)
»
Operation Additional Information Success Count Logfile
Get Time type = Performance Ctr, time = 13043506071 True 1
Fn
Get Time type = Performance Ctr, time = 14368131778 True 1
Fn
Get Time type = System Time True 18
Fn
Get Time type = Performance Ctr, time = 15021114936 True 1
Fn
Get Time type = Performance Ctr, time = 15064497582 True 1
Fn
Get Time type = Performance Ctr, time = 15324465376 True 1
Fn
Get Time type = Performance Ctr, time = 15358287045 True 1
Fn
Get Time type = Performance Ctr, time = 15454143350 True 1
Fn
Get Time type = Performance Ctr, time = 15508311619 True 1
Fn
Get Time type = Performance Ctr, time = 15517214928 True 1
Fn
Get Time type = Performance Ctr, time = 15562972083 True 1
Fn
Get Time type = Performance Ctr, time = 15592688799 True 1
Fn
Get Time type = Performance Ctr, time = 15775254891 True 1
Fn
Get Time type = Performance Ctr, time = 15815488441 True 1
Fn
Get Time type = Performance Ctr, time = 16457426895 True 1
Fn
Get Time type = Performance Ctr, time = 16464255003 True 1
Fn
Get Time type = Performance Ctr, time = 16582880797 True 1
Fn
Get Time type = Performance Ctr, time = 17114723659 True 1
Fn
Get Time type = Performance Ctr, time = 17325705599 True 1
Fn
Get Time type = Performance Ctr, time = 17504751474 True 1
Fn
Get Info type = Hardware Information True 2
Fn
Mutex (1764)
»
Operation Additional Information Success Count Logfile
Open mutex_name = MX-zzbdrimp, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Release mutex_name = MX-zzbdrimp True 1763
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Debug (7)
»
Operation Process Additional Information Success Count Logfile
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1035\LocalizedData.xml True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1045\LocalizedData.xml True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1042\LocalizedData.xml True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\Extended\UiInfo.xml True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\3082\LocalizedData.xml True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1055\LocalizedData.xml True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\Windows6.1-KB958488-v6001-x64.msu True 1
Fn
Process #10: zzbdrimp5619.exe
181 0
»
Information Value
ID #10
File Name c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe
Command Line C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:01:24, Reason: Child Process
Unmonitor End Time: 00:01:40, Reason: Self Terminated
Monitor Duration 00:00:16
OS Process Information
»
Information Value
PID 0xfac
Parent PID 0x4e4 (c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F68
0x FA8
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Logs\System.evtx.locked 1.07 MB MD5: 7b02aedf88fd1a3e186ecdb0e8007a9e
SHA1: 2d998bb9c93c8b2f17376ff2b071527bd3679147
SHA256: 7f77cc0eab8ffed8696b65bed2ac304467a47709f2edc37e9c997217b7934052
SSDeep: 24576:31WY3vNwkVE/ZnVE7042KlJ0c/9c+7NuaN5J:3EH/ZnKac/9/Xx 		False
...
C:\Logs\Microsoft-Windows-SettingSync%4Debug.evtx.locked 1.00 MB MD5: 4e82f6e65fb946405bdde112b52ea707
SHA1: d1adfc3775c54dedfe51e2029114b68551d8ecf8
SHA256: ab5cb58cf85942e94c0a54b4828f2d9fb404f77c3066b1e3ae0c54411c2b6755
SSDeep: 24576:tZQU9p+0mtzOIaf7IXly2/NxKewF/WA3s8Qtl9q:tZQ+pXmtzOIa7IlXRS/dsTtu 		False
...
Host Behavior
File (56)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Logs\System.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\System.evtx.locked type = file_attributes False 1
Fn
Get Info C:\Logs\Microsoft-Windows-SettingSync%4Debug.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-SettingSync%4Debug.evtx.locked type = file_attributes False 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Open \??\\C:\Logs\System.evtx.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Logs\Microsoft-Windows-SettingSync%4Debug.evtx.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open Mapping SM-zzbdrimp desired_access = FILE_MAP_COPY, FILE_MAP_WRITE True 1
Fn
Move C:\Logs\System.evtx.locked source_filename = C:\Logs\System.evtx, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Logs\Microsoft-Windows-SettingSync%4Debug.evtx.locked source_filename = C:\Logs\Microsoft-Windows-SettingSync%4Debug.evtx, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Read \??\\C:\Logs\System.evtx.locked size = 65536, size_out = 65536 True 17
Fn
Data
Read \??\\C:\Logs\System.evtx.locked size = 4096, size_out = 4096 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-SettingSync%4Debug.evtx.locked size = 65536, size_out = 65536 True 3
Fn
Data
Write \??\\C:\Logs\System.evtx.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\System.evtx.locked offset = 65536, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\System.evtx.locked offset = 131072, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\System.evtx.locked offset = 196608, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\System.evtx.locked offset = 262144, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\System.evtx.locked offset = 327680, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\System.evtx.locked offset = 393216, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\System.evtx.locked offset = 458752, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\System.evtx.locked offset = 524288, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\System.evtx.locked offset = 589824, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\System.evtx.locked offset = 655360, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\System.evtx.locked offset = 720896, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\System.evtx.locked offset = 786432, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\System.evtx.locked offset = 851968, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\System.evtx.locked offset = 917504, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\System.evtx.locked offset = 983040, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\System.evtx.locked offset = 1048576, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-SettingSync%4Debug.evtx.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-SettingSync%4Debug.evtx.locked offset = 65536, size = 65536 True 1
Fn
Data
Module (80)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load Rstrtmgr.dll base_address = 0x744f0000 True 1
Fn
Load ntdll.dll base_address = 0x77bb0000 True 1
Fn
Load api-ms-win-core-sysinfo-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load api-ms-win-appmodel-runtime-l1-1-1 base_address = 0x75ba0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75e90000 True 3
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77bb0000 True 1
Fn
Get Handle c:\users\fd1hvy\appdata\local\temp\zzbdr base_address = 0x11a0000 True 2
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename - process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, file_name_orig = C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsAlloc, address_out = 0x74f9bea0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsSetValue, address_out = 0x74f92550 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = InitializeCriticalSectionEx, address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsGetValue, address_out = 0x74f870c0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f7ed00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75ea4ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75ea4b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75ea4b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75ea4b40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75efebc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitOnceExecuteOnce, address_out = 0x74f95550 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x75efeb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x75efeb90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x75efeb80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75ea6d30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x77bfd7c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x77bfb740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75ea6d70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x77bfc0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x77bfbe10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77c22b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77c152f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x75ea4510 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x74f9e260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75ea0db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleEx, address_out = 0x75ea43d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandle, address_out = 0x75eff110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x75eff1e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeConditionVariable, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WakeConditionVariable, address_out = 0x77c88c50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll address_out = 0x77c18a90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableCS, address_out = 0x7500fca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSRWLock, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AcquireSRWLockExclusive, address_out = 0x77bf58e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TryAcquireSRWLockExclusive, address_out = 0x77c72ce0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseSRWLockExclusive, address_out = 0x77bf83a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableSRW, address_out = 0x7500fcf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWork, address_out = 0x75ea6db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SubmitThreadpoolWork, address_out = 0x77bfeb00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWork, address_out = 0x77bfed50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x75ea7050 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x75ea7190 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x75ea7480 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateHardLinkW, address_out = 0x75ea44f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySection, address_out = 0x77c22220 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmStartSession, address_out = 0x744f7930 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmRegisterResources, address_out = 0x744f7660 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmGetList, address_out = 0x744f74f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtOpenFile, address_out = 0x77c22040 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtClose, address_out = 0x77c21de0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtReadFile, address_out = 0x77c21d50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtWriteFile, address_out = 0x77c21d70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitUnicodeString, address_out = 0x77c242f0 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x74f6b830 True 1
Fn
Get Address c:\windows\syswow64\kernel.appcore.dll function = GetCurrentPackageId, address_out = 0x75ba3510 True 1
Fn
Map SM-zzbdrimp process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, desired_access = FILE_MAP_WRITE True 1
Fn
User (5)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
Lookup Privilege privilege = SeRestorePrivilege, luid = 18 True 1
Fn
Lookup Privilege privilege = SeLockMemoryPrivilege, luid = 4 True 1
Fn
Lookup Privilege privilege = SeCreateGlobalPrivilege, luid = 30 True 1
Fn
System (25)
»
Operation Additional Information Success Count Logfile
Get Time type = Performance Ctr, time = 17642157774 True 1
Fn
Get Time type = Performance Ctr, time = 17725544501 True 1
Fn
Get Time type = System Time True 11
Fn
Get Time type = Performance Ctr, time = 17810256145 True 1
Fn
Get Time type = Performance Ctr, time = 17888624161 True 1
Fn
Get Time type = Performance Ctr, time = 18005697299 True 1
Fn
Get Time type = Performance Ctr, time = 18084590007 True 1
Fn
Get Time type = Performance Ctr, time = 18282846126 True 1
Fn
Get Time type = Performance Ctr, time = 18449838438 True 1
Fn
Get Time type = Performance Ctr, time = 18534386604 True 1
Fn
Get Time type = Performance Ctr, time = 18622107549 True 1
Fn
Get Time type = Performance Ctr, time = 18731537540 True 1
Fn
Get Time type = Performance Ctr, time = 19006268482 True 1
Fn
Get Info type = Hardware Information True 2
Fn
Mutex (3)
»
Operation Additional Information Success Count Logfile
Open mutex_name = MX-zzbdrimp, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Release mutex_name = MX-zzbdrimp True 2
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Debug (1)
»
Operation Process Additional Information Success Count Logfile
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Logs\System.evtx True 1
Fn
Process #11: zzbdrimp5619.exe
432 0
»
Information Value
ID #11
File Name c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe
Command Line C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:01:25, Reason: Child Process
Unmonitor End Time: 00:01:49, Reason: Self Terminated
Monitor Duration 00:00:24
OS Process Information
»
Information Value
PID 0xfec
Parent PID 0x4e4 (c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FF8
0x 9B0
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Boot\Fonts\malgun_boot.ttf.locked 173.40 KB MD5: c8519c76956fedb44ac0bd690f1f0db8
SHA1: 111ba61840e588a5d9a0b774cb5ab1f936b557e6
SHA256: 0253b417a3501bb95dd75fa051d9dec615b827e43dfc82794f3f35d6a9ff610c
SSDeep: 3072:+o0NJG0XZoDzS7vByuVlEwYH/yILcZsCY8DbcaK3jXIh/a78GCKpTxxo:+o0LG0XZZyaYfyILK06K8hy7zCoS 		False
...
C:\588bce7c90097ed212\RGB9RAST_x64.msi.locked 180.64 KB MD5: d989699da1ff62e7caba7899c0c40c85
SHA1: da3c8f9e72f00b57ad34d8a91711eedcb87126d9
SHA256: a62be2b01b6842c1283313544a732e02661aeb885e2e4c3391cd8e883719353e
SSDeep: 3072:LwI8NFev1lhLm0qhSKX0IPQdAkXET7guPQfucaK7Ig2agIo62UbBhDzd44ioB:LwICQ1l5m75gETMuPeucrIx7Ixbu2B 		False
...
C:\Boot\memtest.exe.locked 793.05 KB MD5: 660f608036f9d24153e11644b5dea537
SHA1: 800f37757a57542095aebf3a4c014c92b1fed1b5
SHA256: a40242b06e5c08f5c1095654df97b95dd62beee3b4b709ab7db30960c7d43974
SSDeep: 24576:VTArxom81He/vNN46D4QgNg35PSvtvwasFeVddTh24UrewZ/z:VTUxoHmN46v0gpPyZwOddThRUrewZ/z 		False
...
Host Behavior
File (56)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Boot\memtest.exe type = file_attributes True 3
Fn
Get Info C:\Boot\memtest.exe.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\RGB9RAST_x64.msi type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\RGB9RAST_x64.msi.locked type = file_attributes False 1
Fn
Get Info C:\Boot\Fonts\malgun_boot.ttf type = file_attributes True 3
Fn
Get Info C:\Boot\Fonts\malgun_boot.ttf.locked type = file_attributes False 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Open \??\\C:\Boot\memtest.exe.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\RGB9RAST_x64.msi.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\Fonts\malgun_boot.ttf.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open Mapping SM-zzbdrimp desired_access = FILE_MAP_COPY, FILE_MAP_WRITE True 1
Fn
Move C:\Boot\memtest.exe.locked source_filename = C:\Boot\memtest.exe, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\RGB9RAST_x64.msi.locked source_filename = C:\588bce7c90097ed212\RGB9RAST_x64.msi, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\Fonts\malgun_boot.ttf.locked source_filename = C:\Boot\Fonts\malgun_boot.ttf, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Read \??\\C:\Boot\memtest.exe.locked size = 65536, size_out = 65536 True 12
Fn
Data
Read \??\\C:\Boot\memtest.exe.locked size = 25504, size_out = 25504 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\RGB9RAST_x64.msi.locked size = 65536, size_out = 65536 True 2
Fn
Data
Read \??\\C:\588bce7c90097ed212\RGB9RAST_x64.msi.locked size = 53760, size_out = 53760 True 1
Fn
Data
Read \??\\C:\Boot\Fonts\malgun_boot.ttf.locked size = 65536, size_out = 65536 True 1
Fn
Data
Write \??\\C:\Boot\memtest.exe.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\memtest.exe.locked offset = 65536, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\memtest.exe.locked offset = 131072, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\memtest.exe.locked offset = 196608, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\memtest.exe.locked offset = 262144, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\memtest.exe.locked offset = 327680, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\memtest.exe.locked offset = 393216, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\memtest.exe.locked offset = 458752, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\memtest.exe.locked offset = 524288, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\memtest.exe.locked offset = 589824, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\memtest.exe.locked offset = 655360, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\memtest.exe.locked offset = 720896, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\memtest.exe.locked offset = 786432, size = 25508 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\RGB9RAST_x64.msi.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\RGB9RAST_x64.msi.locked offset = 65536, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\RGB9RAST_x64.msi.locked offset = 131072, size = 53764 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\RGB9RAST_x64.msi.locked size = 144 True 1
Fn
Data
Module (76)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load ntdll.dll base_address = 0x77bb0000 True 1
Fn
Load api-ms-win-core-sysinfo-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load api-ms-win-appmodel-runtime-l1-1-1 base_address = 0x75ba0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75e90000 True 3
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77bb0000 True 1
Fn
Get Handle c:\users\fd1hvy\appdata\local\temp\zzbdr base_address = 0x11a0000 True 2
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename - process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, file_name_orig = C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsAlloc, address_out = 0x74f9bea0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsSetValue, address_out = 0x74f92550 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = InitializeCriticalSectionEx, address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsGetValue, address_out = 0x74f870c0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f7ed00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75ea4ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75ea4b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75ea4b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75ea4b40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75efebc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitOnceExecuteOnce, address_out = 0x74f95550 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x75efeb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x75efeb90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x75efeb80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75ea6d30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x77bfd7c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x77bfb740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75ea6d70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x77bfc0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x77bfbe10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77c22b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77c152f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x75ea4510 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x74f9e260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75ea0db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleEx, address_out = 0x75ea43d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandle, address_out = 0x75eff110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x75eff1e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeConditionVariable, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WakeConditionVariable, address_out = 0x77c88c50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll address_out = 0x77c18a90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableCS, address_out = 0x7500fca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSRWLock, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AcquireSRWLockExclusive, address_out = 0x77bf58e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TryAcquireSRWLockExclusive, address_out = 0x77c72ce0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseSRWLockExclusive, address_out = 0x77bf83a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableSRW, address_out = 0x7500fcf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWork, address_out = 0x75ea6db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SubmitThreadpoolWork, address_out = 0x77bfeb00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWork, address_out = 0x77bfed50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x75ea7050 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x75ea7190 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x75ea7480 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateHardLinkW, address_out = 0x75ea44f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySection, address_out = 0x77c22220 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtOpenFile, address_out = 0x77c22040 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtClose, address_out = 0x77c21de0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtReadFile, address_out = 0x77c21d50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtWriteFile, address_out = 0x77c21d70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitUnicodeString, address_out = 0x77c242f0 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x74f6b830 True 1
Fn
Get Address c:\windows\syswow64\kernel.appcore.dll function = GetCurrentPackageId, address_out = 0x75ba3510 True 1
Fn
Map SM-zzbdrimp process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, desired_access = FILE_MAP_WRITE True 1
Fn
User (5)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
Lookup Privilege privilege = SeRestorePrivilege, luid = 18 True 1
Fn
Lookup Privilege privilege = SeLockMemoryPrivilege, luid = 4 True 1
Fn
Lookup Privilege privilege = SeCreateGlobalPrivilege, luid = 30 True 1
Fn
System (29)
»
Operation Additional Information Success Count Logfile
Get Time type = Performance Ctr, time = 17841995026 True 1
Fn
Get Time type = Performance Ctr, time = 18133932851 True 1
Fn
Get Time type = System Time True 13
Fn
Get Time type = Performance Ctr, time = 18143765359 True 1
Fn
Get Time type = Performance Ctr, time = 18275425373 True 1
Fn
Get Time type = Performance Ctr, time = 18288838372 True 1
Fn
Get Time type = Performance Ctr, time = 18392673708 True 1
Fn
Get Time type = Performance Ctr, time = 18491113423 True 1
Fn
Get Time type = Performance Ctr, time = 18643054088 True 1
Fn
Get Time type = Performance Ctr, time = 19059242159 True 1
Fn
Get Time type = Performance Ctr, time = 19182164973 True 1
Fn
Get Time type = Performance Ctr, time = 19291634571 True 1
Fn
Get Time type = Performance Ctr, time = 19347575251 True 1
Fn
Get Time type = Performance Ctr, time = 19476409600 True 1
Fn
Get Time type = Performance Ctr, time = 19553732714 True 1
Fn
Get Info type = Hardware Information True 2
Fn
Mutex (253)
»
Operation Additional Information Success Count Logfile
Open mutex_name = MX-zzbdrimp, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Release mutex_name = MX-zzbdrimp True 252
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Debug (1)
»
Operation Process Additional Information Success Count Logfile
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\Fonts\malgun_boot.ttf True 1
Fn
Process #12: zzbdrimp5619.exe
178 0
»
Information Value
ID #12
File Name c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe
Command Line C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:01:25, Reason: Child Process
Unmonitor End Time: 00:01:48, Reason: Self Terminated
Monitor Duration 00:00:23
OS Process Information
»
Information Value
PID 0xf1c
Parent PID 0x4e4 (c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D0C
0x D3C
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Logs\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.locked 1.00 MB MD5: b988196df071840ddd049f1823d89966
SHA1: 31f3d15ad5e87fce85e82612f23b497cc2735117
SHA256: 7b7bec1b48e90f0654752da015a7f7089b2de2976e680af7e994e2e05a8fee45
SSDeep: 24576:/uHZKnr9LZKO+Y1JS01o1l9/EC+f6kO9rcPtZ4UserFigg71y:/uHZuhZD1oj+ikKA7serMgy1y 		False
...
C:\bootmgr.locked 386.11 KB MD5: 08d12c35e6f02026cede69d3816ef0fa
SHA1: 892a27f0011ce74b9f69a650b89cbd084d154288
SHA256: 3c2ed605ac7ef39bbbe63445bce5bb673a6283c751975a01173500589ced79a3
SSDeep: 12288:ynk3KsxE3J57sBiIVEzy4+RHBqn3Yx+t1:y8rGJ2hZEox+L 		False
...
Host Behavior
File (51)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Logs\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.locked type = file_attributes False 1
Fn
Get Info C:\bootmgr type = file_attributes True 3
Fn
Get Info C:\bootmgr.locked type = file_attributes False 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Open \??\\C:\Logs\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\bootmgr.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open Mapping SM-zzbdrimp desired_access = FILE_MAP_COPY, FILE_MAP_WRITE True 1
Fn
Move C:\Logs\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.locked source_filename = C:\Logs\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\bootmgr.locked source_filename = C:\bootmgr, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Read \??\\C:\Logs\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.locked size = 65536, size_out = 65536 True 16
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.locked size = 4096, size_out = 4096 True 1
Fn
Data
Read \??\\C:\bootmgr.locked size = 65536, size_out = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.locked offset = 65536, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.locked offset = 131072, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.locked offset = 196608, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.locked offset = 262144, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.locked offset = 327680, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.locked offset = 393216, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.locked offset = 458752, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.locked offset = 524288, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.locked offset = 589824, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.locked offset = 655360, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.locked offset = 720896, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.locked offset = 786432, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.locked offset = 851968, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.locked offset = 917504, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.locked offset = 983040, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx.locked offset = 1048576, size = 4100 True 1
Fn
Data
Module (80)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load Rstrtmgr.dll base_address = 0x744f0000 True 1
Fn
Load ntdll.dll base_address = 0x77bb0000 True 1
Fn
Load api-ms-win-core-sysinfo-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load api-ms-win-appmodel-runtime-l1-1-1 base_address = 0x75ba0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75e90000 True 3
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77bb0000 True 1
Fn
Get Handle c:\users\fd1hvy\appdata\local\temp\zzbdr base_address = 0x11a0000 True 2
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename - process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, file_name_orig = C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsAlloc, address_out = 0x74f9bea0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsSetValue, address_out = 0x74f92550 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = InitializeCriticalSectionEx, address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsGetValue, address_out = 0x74f870c0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f7ed00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75ea4ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75ea4b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75ea4b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75ea4b40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75efebc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitOnceExecuteOnce, address_out = 0x74f95550 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x75efeb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x75efeb90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x75efeb80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75ea6d30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x77bfd7c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x77bfb740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75ea6d70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x77bfc0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x77bfbe10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77c22b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77c152f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x75ea4510 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x74f9e260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75ea0db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleEx, address_out = 0x75ea43d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandle, address_out = 0x75eff110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x75eff1e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeConditionVariable, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WakeConditionVariable, address_out = 0x77c88c50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll address_out = 0x77c18a90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableCS, address_out = 0x7500fca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSRWLock, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AcquireSRWLockExclusive, address_out = 0x77bf58e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TryAcquireSRWLockExclusive, address_out = 0x77c72ce0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseSRWLockExclusive, address_out = 0x77bf83a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableSRW, address_out = 0x7500fcf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWork, address_out = 0x75ea6db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SubmitThreadpoolWork, address_out = 0x77bfeb00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWork, address_out = 0x77bfed50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x75ea7050 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x75ea7190 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x75ea7480 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateHardLinkW, address_out = 0x75ea44f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySection, address_out = 0x77c22220 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmStartSession, address_out = 0x744f7930 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmRegisterResources, address_out = 0x744f7660 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmGetList, address_out = 0x744f74f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtOpenFile, address_out = 0x77c22040 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtClose, address_out = 0x77c21de0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtReadFile, address_out = 0x77c21d50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtWriteFile, address_out = 0x77c21d70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitUnicodeString, address_out = 0x77c242f0 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x74f6b830 True 1
Fn
Get Address c:\windows\syswow64\kernel.appcore.dll function = GetCurrentPackageId, address_out = 0x75ba3510 True 1
Fn
Map SM-zzbdrimp process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, desired_access = FILE_MAP_WRITE True 1
Fn
User (5)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
Lookup Privilege privilege = SeRestorePrivilege, luid = 18 True 1
Fn
Lookup Privilege privilege = SeLockMemoryPrivilege, luid = 4 True 1
Fn
Lookup Privilege privilege = SeCreateGlobalPrivilege, luid = 30 True 1
Fn
System (27)
»
Operation Additional Information Success Count Logfile
Get Time type = Performance Ctr, time = 17873949869 True 1
Fn
Get Time type = Performance Ctr, time = 18007499070 True 1
Fn
Get Time type = System Time True 12
Fn
Get Time type = Performance Ctr, time = 18082225123 True 1
Fn
Get Time type = Performance Ctr, time = 18138571854 True 1
Fn
Get Time type = Performance Ctr, time = 18317168677 True 1
Fn
Get Time type = Performance Ctr, time = 18437542736 True 1
Fn
Get Time type = Performance Ctr, time = 18699593470 True 1
Fn
Get Time type = Performance Ctr, time = 18973613897 True 1
Fn
Get Time type = Performance Ctr, time = 19137201928 True 1
Fn
Get Time type = Performance Ctr, time = 19211536495 True 1
Fn
Get Time type = Performance Ctr, time = 19302283545 True 1
Fn
Get Time type = Performance Ctr, time = 19521419588 True 1
Fn
Get Time type = Performance Ctr, time = 19656435286 True 1
Fn
Get Info type = Hardware Information True 2
Fn
Mutex (3)
»
Operation Additional Information Success Count Logfile
Open mutex_name = MX-zzbdrimp, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Release mutex_name = MX-zzbdrimp True 2
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Debug (1)
»
Operation Process Additional Information Success Count Logfile
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Logs\Microsoft-Windows-ApplicationResourceManagementSystem%4Operational.evtx True 1
Fn
Process #13: zzbdrimp5619.exe
688 0
»
Information Value
ID #13
File Name c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe
Command Line C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:01:30, Reason: Child Process
Unmonitor End Time: 00:01:49, Reason: Self Terminated
Monitor Duration 00:00:19
OS Process Information
»
Information Value
PID 0x7a8
Parent PID 0x4e4 (c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D14
0x B80
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Boot\Fonts\msjhn_boot.ttf.locked 158.67 KB MD5: 5bb5c7ade89560765232c2c8752252b1
SHA1: 37ca3fd29c7c192ac380cbe57ab3564ce98b1bad
SHA256: 249dd92d34458c5dc409c847834aeb50e87cc6b1bb7f71ac8fd61fe78e9ec7fe
SSDeep: 3072:0S/EvoFt4zcMiIY/7jFFs0gCzayFk/R707ByT+Gv7xVll:05vmmY/XIqza5R709y6GvVVll 		False
...
C:\588bce7c90097ed212\sqmapi.dll.locked 141.18 KB MD5: e7f1fb32831de1fdc9ef4d48adcb54d6
SHA1: b977b5da05883be602117f3d9ad10976c6484f7d
SHA256: eacbe519e633be768c017a01d7cf202bfcef39d9ea5bd1e900507ecb4ddb7399
SSDeep: 3072:hZ2/kCbUZXcfXY/BMi5PiZBystRs5yWKkm9bw51yZeQ5NM7nW:hZ2/kHXqEBBiZTR+1KkucqZvzM7nW 		False
...
C:\Boot\bootvhd.dll.locked 97.55 KB MD5: 173c443c202a981099f8789855e2a9ff
SHA1: 819ffe2ea5e026fa10fbd67e3519c231b3cd24e7
SHA256: 9f4a6240486959568cface01c4c085f39e5a7059efe79d233bb7574243714730
SSDeep: 3072:oxXpTzCIS+z0ia98pZbXUQfwO7O5eYjbnqluOH/X:oxRuIg8pZjfwUAbcui/X 		False
...
C:\588bce7c90097ed212\SetupUtility.exe.locked 93.98 KB MD5: b8feef7eca627e817d50e4ae3b306cf6
SHA1: 9b79c29d6c07c60eeddcb075f2970946c39fea00
SHA256: a8a8f4c3960586c9b4e56c216c9c91cd36347d6dc571fef050c18af210554e4e
SSDeep: 1536:JWLmXzba6E9kOxPMccL2h9+xQqvm2C9mLiSWbamCR9TfzAz1pMB4nltcVOCApYu7:wCE9kVHLM9I+2hLz3Az1pm4nsMpYuDsK 		False
...
Host Behavior
File (51)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Boot\Fonts\msjhn_boot.ttf type = file_attributes True 3
Fn
Get Info C:\Boot\Fonts\msjhn_boot.ttf.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\sqmapi.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\sqmapi.dll.locked type = file_attributes False 1
Fn
Get Info C:\Boot\bootvhd.dll type = file_attributes True 3
Fn
Get Info C:\Boot\bootvhd.dll.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\SetupUtility.exe type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\SetupUtility.exe.locked type = file_attributes False 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Open \??\\C:\Boot\Fonts\msjhn_boot.ttf.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\sqmapi.dll.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\bootvhd.dll.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\SetupUtility.exe.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open Mapping SM-zzbdrimp desired_access = FILE_MAP_COPY, FILE_MAP_WRITE True 1
Fn
Move C:\Boot\Fonts\msjhn_boot.ttf.locked source_filename = C:\Boot\Fonts\msjhn_boot.ttf, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\sqmapi.dll.locked source_filename = C:\588bce7c90097ed212\sqmapi.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\bootvhd.dll.locked source_filename = C:\Boot\bootvhd.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\SetupUtility.exe.locked source_filename = C:\588bce7c90097ed212\SetupUtility.exe, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Read \??\\C:\Boot\Fonts\msjhn_boot.ttf.locked size = 65536, size_out = 65536 True 2
Fn
Data
Read \??\\C:\Boot\Fonts\msjhn_boot.ttf.locked size = 31259, size_out = 31259 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\sqmapi.dll.locked size = 65536, size_out = 65536 True 2
Fn
Data
Read \??\\C:\588bce7c90097ed212\sqmapi.dll.locked size = 13344, size_out = 13344 True 1
Fn
Data
Read \??\\C:\Boot\bootvhd.dll.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Boot\bootvhd.dll.locked size = 34208, size_out = 34208 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\SetupUtility.exe.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\SetupUtility.exe.locked size = 30552, size_out = 30552 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\msjhn_boot.ttf.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\msjhn_boot.ttf.locked offset = 65536, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\msjhn_boot.ttf.locked offset = 131072, size = 31263 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\msjhn_boot.ttf.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\sqmapi.dll.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\sqmapi.dll.locked offset = 65536, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\sqmapi.dll.locked offset = 131072, size = 13348 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\sqmapi.dll.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\bootvhd.dll.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\bootvhd.dll.locked offset = 65536, size = 34212 True 1
Fn
Data
Write \??\\C:\Boot\bootvhd.dll.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\SetupUtility.exe.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\SetupUtility.exe.locked offset = 65536, size = 30556 True 1
Fn
Data
Module (78)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load Rstrtmgr.dll base_address = 0x744f0000 True 1
Fn
Load ntdll.dll base_address = 0x77bb0000 True 1
Fn
Load api-ms-win-core-sysinfo-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load api-ms-win-appmodel-runtime-l1-1-1 base_address = 0x75ba0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75e90000 True 3
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77bb0000 True 1
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename - process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, file_name_orig = C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsAlloc, address_out = 0x74f9bea0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsSetValue, address_out = 0x74f92550 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = InitializeCriticalSectionEx, address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsGetValue, address_out = 0x74f870c0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f7ed00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75ea4ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75ea4b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75ea4b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75ea4b40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75efebc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitOnceExecuteOnce, address_out = 0x74f95550 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x75efeb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x75efeb90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x75efeb80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75ea6d30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x77bfd7c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x77bfb740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75ea6d70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x77bfc0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x77bfbe10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77c22b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77c152f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x75ea4510 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x74f9e260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75ea0db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleEx, address_out = 0x75ea43d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandle, address_out = 0x75eff110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x75eff1e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeConditionVariable, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WakeConditionVariable, address_out = 0x77c88c50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll address_out = 0x77c18a90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableCS, address_out = 0x7500fca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSRWLock, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AcquireSRWLockExclusive, address_out = 0x77bf58e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TryAcquireSRWLockExclusive, address_out = 0x77c72ce0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseSRWLockExclusive, address_out = 0x77bf83a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableSRW, address_out = 0x7500fcf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWork, address_out = 0x75ea6db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SubmitThreadpoolWork, address_out = 0x77bfeb00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWork, address_out = 0x77bfed50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x75ea7050 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x75ea7190 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x75ea7480 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateHardLinkW, address_out = 0x75ea44f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySection, address_out = 0x77c22220 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmStartSession, address_out = 0x744f7930 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmRegisterResources, address_out = 0x744f7660 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmGetList, address_out = 0x744f74f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtOpenFile, address_out = 0x77c22040 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtClose, address_out = 0x77c21de0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtReadFile, address_out = 0x77c21d50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtWriteFile, address_out = 0x77c21d70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitUnicodeString, address_out = 0x77c242f0 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x74f6b830 True 1
Fn
Get Address c:\windows\syswow64\kernel.appcore.dll function = GetCurrentPackageId, address_out = 0x75ba3510 True 1
Fn
Map SM-zzbdrimp process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, desired_access = FILE_MAP_WRITE True 1
Fn
User (5)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
Lookup Privilege privilege = SeRestorePrivilege, luid = 18 True 1
Fn
Lookup Privilege privilege = SeLockMemoryPrivilege, luid = 4 True 1
Fn
Lookup Privilege privilege = SeCreateGlobalPrivilege, luid = 30 True 1
Fn
System (33)
»
Operation Additional Information Success Count Logfile
Get Time type = Performance Ctr, time = 18313211374 True 1
Fn
Get Time type = Performance Ctr, time = 18448052075 True 1
Fn
Get Time type = System Time True 15
Fn
Get Time type = Performance Ctr, time = 18470056240 True 1
Fn
Get Time type = Performance Ctr, time = 18646371736 True 1
Fn
Get Time type = Performance Ctr, time = 18711889986 True 1
Fn
Get Time type = Performance Ctr, time = 18855173348 True 1
Fn
Get Time type = Performance Ctr, time = 18869961010 True 1
Fn
Get Time type = Performance Ctr, time = 18916590377 True 1
Fn
Get Time type = Performance Ctr, time = 18928398432 True 1
Fn
Get Time type = Performance Ctr, time = 19005466338 True 1
Fn
Get Time type = Performance Ctr, time = 19128423730 True 1
Fn
Get Time type = Performance Ctr, time = 19205861166 True 1
Fn
Get Time type = Performance Ctr, time = 19326340473 True 1
Fn
Get Time type = Performance Ctr, time = 19474954110 True 1
Fn
Get Time type = Performance Ctr, time = 19641628188 True 1
Fn
Get Time type = Performance Ctr, time = 19729294729 True 1
Fn
Get Info type = Hardware Information True 2
Fn
Mutex (506)
»
Operation Additional Information Success Count Logfile
Open mutex_name = MX-zzbdrimp, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Release mutex_name = MX-zzbdrimp True 505
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Debug (2)
»
Operation Process Additional Information Success Count Logfile
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\Fonts\msjhn_boot.ttf True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\bootvhd.dll True 1
Fn
Process #14: zzbdrimp5619.exe
1126 0
»
Information Value
ID #14
File Name c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe
Command Line C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:01:39, Reason: Child Process
Unmonitor End Time: 00:02:02, Reason: Self Terminated
Monitor Duration 00:00:22
OS Process Information
»
Information Value
PID 0xb6c
Parent PID 0x4e4 (c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D94
0x DDC
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Boot\bg-BG\bootmgr.exe.mui.locked 75.99 KB MD5: e179f3ba30b0b04d6cddbf0e509040e1
SHA1: 50847cae010d14c4be3d4d249dc4254ac46ee39e
SHA256: 2f88cb4e01e6d3b5f01b193c50ce4f85a2124920cf282c5e8ee56375b94e743a
SSDeep: 1536:NN7pRnXclOHqKJmHYfJA6N40nlh7Rml+yrFvUMuA+npmfRlQ:NlDslEhkHELRmkARkATlQ 		False
...
C:\Boot\uk-UA\bootmgr.exe.mui.locked 75.49 KB MD5: 833ffb73799aa0ccbd215270d5c5f94a
SHA1: b3df65c67d37a7a6cf32d38988be4f513c1ca340
SHA256: 528976d4676cac1611f73e80dcd2142efebf729636d7d0749041b46471d3153d
SSDeep: 1536:rXYPF+cb/tOOuHiLg0D+MsHDrpdHfBckwAed/jleNmD6+Aon6KKle9fIcYI:rXYdPUOuC9qHDrLpGnd/jMwD6xo7KY9/ 		False
...
C:\Boot\it-IT\bootmgr.exe.mui.locked 75.48 KB MD5: bd0f1b5697c61e1b1c2e4b69e9669f00
SHA1: 8fc50f91dd41a1e0fb4d5c10e20b37462e47b888
SHA256: 08289605835f46df4f0273227933b94f4a6ab586eae4181815994bd745d27612
SSDeep: 1536:l48XzHd0P2dWD3BjdW/xGQLzdhQUTuliVARTFmLzXVzhnRV1ptab7UJT:l3hkO6BjduUQgtKKEhNnRZ84 		False
...
C:\Boot\pt-PT\bootmgr.exe.mui.locked 74.99 KB MD5: d7dab973f1e44096ba4cd0204a2e9375
SHA1: 06b5cabfc45174b3fa349c30cbcfdb264759f5ba
SHA256: 67d35150ff0c9b1eb2bf2140efd836b9c440c83d96ed6aa182b42b8de06097e3
SSDeep: 1536:G8lWpWQC8oJgUCCzm1EBlD7W0FjsGkEH6Bts+794rIzNxK4r8TvlR:1wgp8Uzm1aPtFdkiksesIdrCj 		False
...
C:\Boot\fi-FI\bootmgr.exe.mui.locked 74.99 KB MD5: 33a9d524d6e3fe59a29f864a4f851188
SHA1: 95405a18951d75474c9241ec467a8bdff6f5e87d
SHA256: 9a77b48c5f76cbf8065d041b9ecebb3b2eacc25a3d62f775a2fc813b844e8fac
SSDeep: 1536:SisvPpBy4M9pKv56Nx7DuwC9zmHOR/nNa5Mv1F6ToSh:SiIpByj9i56NtdCIuRPNVoZ 		False
...
Host Behavior
File (59)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Boot\bg-BG\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\bg-BG\bootmgr.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\Boot\uk-UA\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\uk-UA\bootmgr.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\Boot\it-IT\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\it-IT\bootmgr.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\Boot\pt-PT\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\pt-PT\bootmgr.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\Boot\fi-FI\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\fi-FI\bootmgr.exe.mui.locked type = file_attributes False 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Open \??\\C:\Boot\bg-BG\bootmgr.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\uk-UA\bootmgr.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\it-IT\bootmgr.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\pt-PT\bootmgr.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\fi-FI\bootmgr.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open Mapping SM-zzbdrimp desired_access = FILE_MAP_COPY, FILE_MAP_WRITE True 1
Fn
Move C:\Boot\bg-BG\bootmgr.exe.mui.locked source_filename = C:\Boot\bg-BG\bootmgr.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\uk-UA\bootmgr.exe.mui.locked source_filename = C:\Boot\uk-UA\bootmgr.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\it-IT\bootmgr.exe.mui.locked source_filename = C:\Boot\it-IT\bootmgr.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\pt-PT\bootmgr.exe.mui.locked source_filename = C:\Boot\pt-PT\bootmgr.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\fi-FI\bootmgr.exe.mui.locked source_filename = C:\Boot\fi-FI\bootmgr.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Read \??\\C:\Boot\bg-BG\bootmgr.exe.mui.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Boot\bg-BG\bootmgr.exe.mui.locked size = 12128, size_out = 12128 True 1
Fn
Data
Read \??\\C:\Boot\uk-UA\bootmgr.exe.mui.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Boot\uk-UA\bootmgr.exe.mui.locked size = 11616, size_out = 11616 True 1
Fn
Data
Read \??\\C:\Boot\it-IT\bootmgr.exe.mui.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Boot\it-IT\bootmgr.exe.mui.locked size = 11608, size_out = 11608 True 1
Fn
Data
Read \??\\C:\Boot\pt-PT\bootmgr.exe.mui.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Boot\pt-PT\bootmgr.exe.mui.locked size = 11104, size_out = 11104 True 1
Fn
Data
Read \??\\C:\Boot\fi-FI\bootmgr.exe.mui.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Boot\fi-FI\bootmgr.exe.mui.locked size = 11104, size_out = 11104 True 1
Fn
Data
Write \??\\C:\Boot\bg-BG\bootmgr.exe.mui.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\bg-BG\bootmgr.exe.mui.locked offset = 65536, size = 12132 True 1
Fn
Data
Write \??\\C:\Boot\bg-BG\bootmgr.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\uk-UA\bootmgr.exe.mui.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\uk-UA\bootmgr.exe.mui.locked offset = 65536, size = 11620 True 1
Fn
Data
Write \??\\C:\Boot\uk-UA\bootmgr.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\it-IT\bootmgr.exe.mui.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\it-IT\bootmgr.exe.mui.locked offset = 65536, size = 11612 True 1
Fn
Data
Write \??\\C:\Boot\it-IT\bootmgr.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\pt-PT\bootmgr.exe.mui.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\pt-PT\bootmgr.exe.mui.locked offset = 65536, size = 11108 True 1
Fn
Data
Write \??\\C:\Boot\pt-PT\bootmgr.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\fi-FI\bootmgr.exe.mui.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\fi-FI\bootmgr.exe.mui.locked offset = 65536, size = 11108 True 1
Fn
Data
Write \??\\C:\Boot\fi-FI\bootmgr.exe.mui.locked size = 144 True 1
Fn
Data
Module (76)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load ntdll.dll base_address = 0x77bb0000 True 1
Fn
Load api-ms-win-core-sysinfo-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load api-ms-win-appmodel-runtime-l1-1-1 base_address = 0x75ba0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75e90000 True 3
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77bb0000 True 1
Fn
Get Handle c:\users\fd1hvy\appdata\local\temp\zzbdr base_address = 0x11a0000 True 2
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename - process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, file_name_orig = C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsAlloc, address_out = 0x74f9bea0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsSetValue, address_out = 0x74f92550 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = InitializeCriticalSectionEx, address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsGetValue, address_out = 0x74f870c0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f7ed00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75ea4ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75ea4b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75ea4b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75ea4b40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75efebc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitOnceExecuteOnce, address_out = 0x74f95550 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x75efeb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x75efeb90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x75efeb80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75ea6d30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x77bfd7c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x77bfb740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75ea6d70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x77bfc0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x77bfbe10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77c22b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77c152f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x75ea4510 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x74f9e260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75ea0db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleEx, address_out = 0x75ea43d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandle, address_out = 0x75eff110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x75eff1e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeConditionVariable, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WakeConditionVariable, address_out = 0x77c88c50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll address_out = 0x77c18a90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableCS, address_out = 0x7500fca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSRWLock, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AcquireSRWLockExclusive, address_out = 0x77bf58e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TryAcquireSRWLockExclusive, address_out = 0x77c72ce0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseSRWLockExclusive, address_out = 0x77bf83a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableSRW, address_out = 0x7500fcf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWork, address_out = 0x75ea6db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SubmitThreadpoolWork, address_out = 0x77bfeb00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWork, address_out = 0x77bfed50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x75ea7050 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x75ea7190 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x75ea7480 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateHardLinkW, address_out = 0x75ea44f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySection, address_out = 0x77c22220 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtOpenFile, address_out = 0x77c22040 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtClose, address_out = 0x77c21de0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtReadFile, address_out = 0x77c21d50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtWriteFile, address_out = 0x77c21d70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitUnicodeString, address_out = 0x77c242f0 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x74f6b830 True 1
Fn
Get Address c:\windows\syswow64\kernel.appcore.dll function = GetCurrentPackageId, address_out = 0x75ba3510 True 1
Fn
Map SM-zzbdrimp process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, desired_access = FILE_MAP_WRITE True 1
Fn
User (5)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
Lookup Privilege privilege = SeRestorePrivilege, luid = 18 True 1
Fn
Lookup Privilege privilege = SeLockMemoryPrivilege, luid = 4 True 1
Fn
Lookup Privilege privilege = SeCreateGlobalPrivilege, luid = 30 True 1
Fn
System (35)
»
Operation Additional Information Success Count Logfile
Get Time type = Performance Ctr, time = 19228138670 True 1
Fn
Get Time type = Performance Ctr, time = 19464530565 True 1
Fn
Get Time type = System Time True 16
Fn
Get Time type = Performance Ctr, time = 19485313920 True 1
Fn
Get Time type = Performance Ctr, time = 19654210892 True 1
Fn
Get Time type = Performance Ctr, time = 19665714185 True 1
Fn
Get Time type = Performance Ctr, time = 19777850292 True 1
Fn
Get Time type = Performance Ctr, time = 19802453903 True 1
Fn
Get Time type = Performance Ctr, time = 19868015389 True 1
Fn
Get Time type = Performance Ctr, time = 19893396783 True 1
Fn
Get Time type = Performance Ctr, time = 19982663442 True 1
Fn
Get Time type = Performance Ctr, time = 19998426660 True 1
Fn
Get Time type = Performance Ctr, time = 20128864778 True 1
Fn
Get Time type = Performance Ctr, time = 20321589526 True 1
Fn
Get Time type = Performance Ctr, time = 20535363214 True 1
Fn
Get Time type = Performance Ctr, time = 20601205572 True 1
Fn
Get Time type = Performance Ctr, time = 20968905693 True 1
Fn
Get Time type = Performance Ctr, time = 21054251675 True 1
Fn
Get Info type = Hardware Information True 2
Fn
Mutex (934)
»
Operation Additional Information Success Count Logfile
Open mutex_name = MX-zzbdrimp, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Release mutex_name = MX-zzbdrimp True 933
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Debug (3)
»
Operation Process Additional Information Success Count Logfile
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\pt-PT\bootmgr.exe.mui True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\fi-FI\bootmgr.exe.mui True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\nb-NO\bootmgr.exe.mui True 1
Fn
Process #15: zzbdrimp5619.exe
1361 0
»
Information Value
ID #15
File Name c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe
Command Line C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:01:44, Reason: Child Process
Unmonitor End Time: 00:02:04, Reason: Self Terminated
Monitor Duration 00:00:20
OS Process Information
»
Information Value
PID 0xdd8
Parent PID 0x4e4 (c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8F4
0x BE8
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Boot\sl-SI\bootmgr.exe.mui.locked 74.99 KB MD5: a6e5715adc9b5de334632acb0ce022be
SHA1: 1f4f48a81d5e7ec0798fbb36f6b3b611eebe5039
SHA256: 9d8399fca0643eb055915f6ee812757fa253e948941df5bdde8794844b0701a8
SSDeep: 1536:UVHc4ODctTbtS250xUy27jInMRFVgJRC6wyYyUwYKbw3t07BZJ2Nwyk0b:UVcbctTEgt7SM3OJD6TrKs3t07B7yk0b 		False
...
C:\Boot\pt-BR\bootmgr.exe.mui.locked 74.99 KB MD5: bb7cc5d06817f43fadbb6547c90754db
SHA1: f3845216daecc532009fd116c77b55a982a25690
SHA256: 5dfeeca174e7d3685d832447bd95938208a06b7b454e9d823fa6936c3ce21d1e
SSDeep: 1536:vl56zA7swK8U+379wmVXbws6yA7OGkB3defVyErsk2visSBjCaOllSp:v7bU+379B9bj7ARkBgrsksSBeaOlY 		False
...
C:\Boot\sv-SE\bootmgr.exe.mui.locked 74.49 KB MD5: 1827d49457f81b844961e95f0576605c
SHA1: b9b4773c904c6b93a11c75f9726146015c6d4aca
SHA256: 9bc66f4dde823d5bb09d0e5d4bbb7fb0b7d53552c1ba8008b2023a8d89293d9b
SSDeep: 1536:CsjqLVOpmPYnV9++gupJFxu97hmul8XoteNeP/zWW3egpLguphO:CsWLlPem+gu/kh7CXNeP7xlNphO 		False
...
C:\Boot\da-DK\bootmgr.exe.mui.locked 73.99 KB MD5: aba4c56672c49afbf365e16f95b06459
SHA1: e06b60ec97f362d055a327e3a5f893c30d9b9047
SHA256: dc4da37510a83a5e471555416e2aff6193020648df1e5e31fe0de5fbf3e46ee6
SSDeep: 1536:acUXIt/OVYcxE+SeN5L9HtOjkCIDFKTd7cxS/r3xrDl/Juzc92Xwd:acUXItGVYVPeN5RtOoCIDFKjhrDl4zct 		False
...
C:\Boot\en-US\bootmgr.exe.mui.locked 72.55 KB MD5: 9ba9829f624174358fb784d19c5eadc3
SHA1: 8d217bc52cc352ebaf4e4e2b33f266c6356f268c
SHA256: 536c1372ee1d7aa236ff376ea3a461b452bff7b3e6a5cc3dd713223e2c05063b
SSDeep: 768:iRH2OwTM+zPILVtSSKVMQgckJkg2YQkzIyOlfuG6e+/m7WeaxWS4MvwGNQlO6HjJ:mHICtjGMQgJlnzSfuG6eX6PPB+Dj/eI/ 		False
...
Host Behavior
File (59)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Boot\sl-SI\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\sl-SI\bootmgr.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\Boot\pt-BR\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\pt-BR\bootmgr.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\Boot\sv-SE\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\sv-SE\bootmgr.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\Boot\da-DK\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\da-DK\bootmgr.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\Boot\en-US\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\en-US\bootmgr.exe.mui.locked type = file_attributes False 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Open \??\\C:\Boot\sl-SI\bootmgr.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\pt-BR\bootmgr.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\sv-SE\bootmgr.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\da-DK\bootmgr.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\en-US\bootmgr.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open Mapping SM-zzbdrimp desired_access = FILE_MAP_COPY, FILE_MAP_WRITE True 1
Fn
Move C:\Boot\sl-SI\bootmgr.exe.mui.locked source_filename = C:\Boot\sl-SI\bootmgr.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\pt-BR\bootmgr.exe.mui.locked source_filename = C:\Boot\pt-BR\bootmgr.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\sv-SE\bootmgr.exe.mui.locked source_filename = C:\Boot\sv-SE\bootmgr.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\da-DK\bootmgr.exe.mui.locked source_filename = C:\Boot\da-DK\bootmgr.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\en-US\bootmgr.exe.mui.locked source_filename = C:\Boot\en-US\bootmgr.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Read \??\\C:\Boot\sl-SI\bootmgr.exe.mui.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Boot\sl-SI\bootmgr.exe.mui.locked size = 11104, size_out = 11104 True 1
Fn
Data
Read \??\\C:\Boot\pt-BR\bootmgr.exe.mui.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Boot\pt-BR\bootmgr.exe.mui.locked size = 11104, size_out = 11104 True 1
Fn
Data
Read \??\\C:\Boot\sv-SE\bootmgr.exe.mui.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Boot\sv-SE\bootmgr.exe.mui.locked size = 10592, size_out = 10592 True 1
Fn
Data
Read \??\\C:\Boot\da-DK\bootmgr.exe.mui.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Boot\da-DK\bootmgr.exe.mui.locked size = 10080, size_out = 10080 True 1
Fn
Data
Read \??\\C:\Boot\en-US\bootmgr.exe.mui.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Boot\en-US\bootmgr.exe.mui.locked size = 8608, size_out = 8608 True 1
Fn
Data
Write \??\\C:\Boot\sl-SI\bootmgr.exe.mui.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\sl-SI\bootmgr.exe.mui.locked offset = 65536, size = 11108 True 1
Fn
Data
Write \??\\C:\Boot\sl-SI\bootmgr.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\pt-BR\bootmgr.exe.mui.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\pt-BR\bootmgr.exe.mui.locked offset = 65536, size = 11108 True 1
Fn
Data
Write \??\\C:\Boot\pt-BR\bootmgr.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\sv-SE\bootmgr.exe.mui.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\sv-SE\bootmgr.exe.mui.locked offset = 65536, size = 10596 True 1
Fn
Data
Write \??\\C:\Boot\sv-SE\bootmgr.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\da-DK\bootmgr.exe.mui.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\da-DK\bootmgr.exe.mui.locked offset = 65536, size = 10084 True 1
Fn
Data
Write \??\\C:\Boot\da-DK\bootmgr.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\en-US\bootmgr.exe.mui.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\en-US\bootmgr.exe.mui.locked offset = 65536, size = 8612 True 1
Fn
Data
Write \??\\C:\Boot\en-US\bootmgr.exe.mui.locked size = 144 True 1
Fn
Data
Module (80)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load Rstrtmgr.dll base_address = 0x744f0000 True 1
Fn
Load ntdll.dll base_address = 0x77bb0000 True 1
Fn
Load api-ms-win-core-sysinfo-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load api-ms-win-appmodel-runtime-l1-1-1 base_address = 0x75ba0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75e90000 True 3
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77bb0000 True 1
Fn
Get Handle c:\users\fd1hvy\appdata\local\temp\zzbdr base_address = 0x11a0000 True 2
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename - process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, file_name_orig = C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsAlloc, address_out = 0x74f9bea0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsSetValue, address_out = 0x74f92550 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = InitializeCriticalSectionEx, address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsGetValue, address_out = 0x74f870c0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f7ed00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75ea4ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75ea4b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75ea4b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75ea4b40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75efebc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitOnceExecuteOnce, address_out = 0x74f95550 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x75efeb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x75efeb90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x75efeb80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75ea6d30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x77bfd7c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x77bfb740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75ea6d70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x77bfc0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x77bfbe10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77c22b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77c152f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x75ea4510 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x74f9e260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75ea0db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleEx, address_out = 0x75ea43d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandle, address_out = 0x75eff110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x75eff1e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeConditionVariable, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WakeConditionVariable, address_out = 0x77c88c50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll address_out = 0x77c18a90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableCS, address_out = 0x7500fca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSRWLock, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AcquireSRWLockExclusive, address_out = 0x77bf58e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TryAcquireSRWLockExclusive, address_out = 0x77c72ce0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseSRWLockExclusive, address_out = 0x77bf83a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableSRW, address_out = 0x7500fcf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWork, address_out = 0x75ea6db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SubmitThreadpoolWork, address_out = 0x77bfeb00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWork, address_out = 0x77bfed50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x75ea7050 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x75ea7190 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x75ea7480 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateHardLinkW, address_out = 0x75ea44f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySection, address_out = 0x77c22220 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmStartSession, address_out = 0x744f7930 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmRegisterResources, address_out = 0x744f7660 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmGetList, address_out = 0x744f74f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtOpenFile, address_out = 0x77c22040 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtClose, address_out = 0x77c21de0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtReadFile, address_out = 0x77c21d50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtWriteFile, address_out = 0x77c21d70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitUnicodeString, address_out = 0x77c242f0 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x74f6b830 True 1
Fn
Get Address c:\windows\syswow64\kernel.appcore.dll function = GetCurrentPackageId, address_out = 0x75ba3510 True 1
Fn
Map SM-zzbdrimp process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, desired_access = FILE_MAP_WRITE True 1
Fn
User (5)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
Lookup Privilege privilege = SeRestorePrivilege, luid = 18 True 1
Fn
Lookup Privilege privilege = SeLockMemoryPrivilege, luid = 4 True 1
Fn
Lookup Privilege privilege = SeCreateGlobalPrivilege, luid = 30 True 1
Fn
System (35)
»
Operation Additional Information Success Count Logfile
Get Time type = Performance Ctr, time = 19673800538 True 1
Fn
Get Time type = Performance Ctr, time = 19801262813 True 1
Fn
Get Time type = System Time True 16
Fn
Get Time type = Performance Ctr, time = 19806228487 True 1
Fn
Get Time type = Performance Ctr, time = 19913903281 True 1
Fn
Get Time type = Performance Ctr, time = 19951521757 True 1
Fn
Get Time type = Performance Ctr, time = 20097265801 True 1
Fn
Get Time type = Performance Ctr, time = 20102326354 True 1
Fn
Get Time type = Performance Ctr, time = 20216574762 True 1
Fn
Get Time type = Performance Ctr, time = 20233870331 True 1
Fn
Get Time type = Performance Ctr, time = 20331519663 True 1
Fn
Get Time type = Performance Ctr, time = 20349072613 True 1
Fn
Get Time type = Performance Ctr, time = 20396753131 True 1
Fn
Get Time type = Performance Ctr, time = 20518646775 True 1
Fn
Get Time type = Performance Ctr, time = 20960411662 True 1
Fn
Get Time type = Performance Ctr, time = 21188919162 True 1
Fn
Get Time type = Performance Ctr, time = 21292909756 True 1
Fn
Get Time type = Performance Ctr, time = 21381626156 True 1
Fn
Get Info type = Hardware Information True 2
Fn
Mutex (1165)
»
Operation Additional Information Success Count Logfile
Open mutex_name = MX-zzbdrimp, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Release mutex_name = MX-zzbdrimp True 1164
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Debug (3)
»
Operation Process Additional Information Success Count Logfile
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\sl-SI\bootmgr.exe.mui True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\da-DK\bootmgr.exe.mui True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Logs\Microsoft-Windows-TaskScheduler%4Maintenance.evtx True 1
Fn
Process #16: zzbdrimp5619.exe
1428 0
»
Information Value
ID #16
File Name c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe
Command Line C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:01:45, Reason: Child Process
Unmonitor End Time: 00:02:06, Reason: Self Terminated
Monitor Duration 00:00:21
OS Process Information
»
Information Value
PID 0xe38
Parent PID 0x4e4 (c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E94
0x F64
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Boot\hr-HR\bootmgr.exe.mui.locked 74.99 KB MD5: 5aacbdead6ab7243dca92a3c72b21ed4
SHA1: 71bbbad89709177f7e141c8282c30eb4d9d5c79b
SHA256: 13fe22637b0d4b529a2809acfa66e0bb576bcaba49e149ff51968df17d810882
SSDeep: 1536:QUDBSdm6j86Nguc8WhQcvgYXQX7wzW20blCAn4d81VjXuvQ83Gj30RLoxN8:QUQtj86NxdT1XUzW20wAn4dmw/u30RLV 		False
...
C:\Boot\lt-LT\bootmgr.exe.mui.locked 73.99 KB MD5: cee1f57ef072b851be88c237ce7c262e
SHA1: 57dd67d57f98af3144f1886eca25e29c52e077df
SHA256: cba0be026e721e6dd3792670bc17dd98d974603d30fd15f1b203264dc3919eff
SSDeep: 1536:jGFRgyxkIWedP6A2s/g4ASlkAIlBkf1xger0JMn+1fBbcb+IYngh:jGcyxk8diA2iPFv4B21megLu3Lh 		False
...
C:\Boot\et-EE\bootmgr.exe.mui.locked 73.49 KB MD5: 69e99d1888fcdb7249a746d66e268c11
SHA1: 0e3fba81a2fd7a8c5e18d72a298499f4288f16dd
SHA256: 521b903e1e9ad877c7462572497f090f80abe235e6d977b3ba2650e2eb0c940d
SSDeep: 1536:EQj+4CSWiW3QDu5BgnoVVkv5EynRhp7Q2UfoQOaWvunIIyF:U8QQDixVkvWy582JUrq 		False
...
C:\Boot\en-GB\bootmgr.exe.mui.locked 72.48 KB MD5: 98b52acd1819e3f389483f3e01f6776a
SHA1: 3feac40a72f12ed9661564a38c42cf6f78fd553e
SHA256: 9d3fd5faf514060923878c7f2179a749ea6298952ec85c52bf49ba5e0339b958
SSDeep: 1536:VoyLLi1ibnwUTkcO1Z2jhKgOCjvccrYBSgRKZuM5c++JWZqv2TdeBERW1:7WaTkcsZUMCjvccrYKuMd8WZpiR1 		False
...
C:\Logs\Microsoft-Windows-SMBServer%4Connectivity.evtx.locked 68.14 KB MD5: 5b49953365775ad23e907566b2de8d89
SHA1: b9a573b56e1585021c9c7f80492b82882898b178
SHA256: 7033f0d0923f02d72f203ed5ae0dfe678c2fdc07d55c5a486965d3200f78be46
SSDeep: 1536:0exnkD4JxsZoGgly0o/GgsdpCKb3S2CA6l4a3bAyF:0an9xFA0qCJOZVF 		False
...
C:\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx.locked 68.14 KB MD5: 436f7e067731aa15efd622c8f4c270c2
SHA1: bcfab66cca5515351348bcd8e0fe0c579e0c2a24
SHA256: a4edbfc8002508ff9324ed84438c74d1f41536ec1d7dc6aa164dc9bdd34028d9
SSDeep: 1536:Uix27LV1C9ksIpwELYualcHoIPNcmJbxKR:mRI9ksqwQalcIgyGxKR 		False
...
Host Behavior
File (66)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Boot\hr-HR\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\hr-HR\bootmgr.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\Boot\lt-LT\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\lt-LT\bootmgr.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\Boot\et-EE\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\et-EE\bootmgr.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\Boot\en-GB\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\en-GB\bootmgr.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\Logs\Microsoft-Windows-SMBServer%4Connectivity.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-SMBServer%4Connectivity.evtx.locked type = file_attributes False 1
Fn
Get Info C:\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx.locked type = file_attributes False 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Open \??\\C:\Boot\hr-HR\bootmgr.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\lt-LT\bootmgr.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\et-EE\bootmgr.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\en-GB\bootmgr.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Logs\Microsoft-Windows-SMBServer%4Connectivity.evtx.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open Mapping SM-zzbdrimp desired_access = FILE_MAP_COPY, FILE_MAP_WRITE True 1
Fn
Move C:\Boot\hr-HR\bootmgr.exe.mui.locked source_filename = C:\Boot\hr-HR\bootmgr.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\lt-LT\bootmgr.exe.mui.locked source_filename = C:\Boot\lt-LT\bootmgr.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\et-EE\bootmgr.exe.mui.locked source_filename = C:\Boot\et-EE\bootmgr.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\en-GB\bootmgr.exe.mui.locked source_filename = C:\Boot\en-GB\bootmgr.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Logs\Microsoft-Windows-SMBServer%4Connectivity.evtx.locked source_filename = C:\Logs\Microsoft-Windows-SMBServer%4Connectivity.evtx, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx.locked source_filename = C:\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Read \??\\C:\Boot\hr-HR\bootmgr.exe.mui.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Boot\hr-HR\bootmgr.exe.mui.locked size = 11104, size_out = 11104 True 1
Fn
Data
Read \??\\C:\Boot\lt-LT\bootmgr.exe.mui.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Boot\lt-LT\bootmgr.exe.mui.locked size = 10080, size_out = 10080 True 1
Fn
Data
Read \??\\C:\Boot\et-EE\bootmgr.exe.mui.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Boot\et-EE\bootmgr.exe.mui.locked size = 9568, size_out = 9568 True 1
Fn
Data
Read \??\\C:\Boot\en-GB\bootmgr.exe.mui.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Boot\en-GB\bootmgr.exe.mui.locked size = 8536, size_out = 8536 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-SMBServer%4Connectivity.evtx.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-SMBServer%4Connectivity.evtx.locked size = 4096, size_out = 4096 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx.locked size = 65536, size_out = 65536 True 1
Fn
Data
Write \??\\C:\Boot\hr-HR\bootmgr.exe.mui.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\hr-HR\bootmgr.exe.mui.locked offset = 65536, size = 11108 True 1
Fn
Data
Write \??\\C:\Boot\hr-HR\bootmgr.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\lt-LT\bootmgr.exe.mui.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\lt-LT\bootmgr.exe.mui.locked offset = 65536, size = 10084 True 1
Fn
Data
Write \??\\C:\Boot\lt-LT\bootmgr.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\et-EE\bootmgr.exe.mui.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\et-EE\bootmgr.exe.mui.locked offset = 65536, size = 9572 True 1
Fn
Data
Write \??\\C:\Boot\et-EE\bootmgr.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\en-GB\bootmgr.exe.mui.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\en-GB\bootmgr.exe.mui.locked offset = 65536, size = 8540 True 1
Fn
Data
Write \??\\C:\Boot\en-GB\bootmgr.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-SMBServer%4Connectivity.evtx.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-SMBServer%4Connectivity.evtx.locked offset = 65536, size = 4100 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-SMBServer%4Connectivity.evtx.locked size = 144 True 1
Fn
Data
Module (80)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load Rstrtmgr.dll base_address = 0x744f0000 True 1
Fn
Load ntdll.dll base_address = 0x77bb0000 True 1
Fn
Load api-ms-win-core-sysinfo-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load api-ms-win-appmodel-runtime-l1-1-1 base_address = 0x75ba0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75e90000 True 3
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77bb0000 True 1
Fn
Get Handle c:\users\fd1hvy\appdata\local\temp\zzbdr base_address = 0x11a0000 True 2
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename - process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, file_name_orig = C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsAlloc, address_out = 0x74f9bea0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsSetValue, address_out = 0x74f92550 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = InitializeCriticalSectionEx, address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsGetValue, address_out = 0x74f870c0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f7ed00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75ea4ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75ea4b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75ea4b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75ea4b40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75efebc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitOnceExecuteOnce, address_out = 0x74f95550 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x75efeb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x75efeb90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x75efeb80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75ea6d30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x77bfd7c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x77bfb740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75ea6d70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x77bfc0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x77bfbe10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77c22b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77c152f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x75ea4510 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x74f9e260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75ea0db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleEx, address_out = 0x75ea43d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandle, address_out = 0x75eff110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x75eff1e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeConditionVariable, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WakeConditionVariable, address_out = 0x77c88c50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll address_out = 0x77c18a90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableCS, address_out = 0x7500fca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSRWLock, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AcquireSRWLockExclusive, address_out = 0x77bf58e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TryAcquireSRWLockExclusive, address_out = 0x77c72ce0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseSRWLockExclusive, address_out = 0x77bf83a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableSRW, address_out = 0x7500fcf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWork, address_out = 0x75ea6db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SubmitThreadpoolWork, address_out = 0x77bfeb00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWork, address_out = 0x77bfed50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x75ea7050 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x75ea7190 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x75ea7480 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateHardLinkW, address_out = 0x75ea44f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySection, address_out = 0x77c22220 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmStartSession, address_out = 0x744f7930 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmRegisterResources, address_out = 0x744f7660 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmGetList, address_out = 0x744f74f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtOpenFile, address_out = 0x77c22040 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtClose, address_out = 0x77c21de0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtReadFile, address_out = 0x77c21d50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtWriteFile, address_out = 0x77c21d70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitUnicodeString, address_out = 0x77c242f0 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x74f6b830 True 1
Fn
Get Address c:\windows\syswow64\kernel.appcore.dll function = GetCurrentPackageId, address_out = 0x75ba3510 True 1
Fn
Map SM-zzbdrimp process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, desired_access = FILE_MAP_WRITE True 1
Fn
User (5)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
Lookup Privilege privilege = SeRestorePrivilege, luid = 18 True 1
Fn
Lookup Privilege privilege = SeLockMemoryPrivilege, luid = 4 True 1
Fn
Lookup Privilege privilege = SeCreateGlobalPrivilege, luid = 30 True 1
Fn
System (35)
»
Operation Additional Information Success Count Logfile
Get Time type = Performance Ctr, time = 19793695532 True 1
Fn
Get Time type = Performance Ctr, time = 19958034861 True 1
Fn
Get Time type = System Time True 16
Fn
Get Time type = Performance Ctr, time = 19965743818 True 1
Fn
Get Time type = Performance Ctr, time = 20134601969 True 1
Fn
Get Time type = Performance Ctr, time = 20157490712 True 1
Fn
Get Time type = Performance Ctr, time = 20297131558 True 1
Fn
Get Time type = Performance Ctr, time = 20315361443 True 1
Fn
Get Time type = Performance Ctr, time = 20398499724 True 1
Fn
Get Time type = Performance Ctr, time = 20430182876 True 1
Fn
Get Time type = Performance Ctr, time = 20566538287 True 1
Fn
Get Time type = Performance Ctr, time = 20569792590 True 1
Fn
Get Time type = Performance Ctr, time = 20777362569 True 1
Fn
Get Time type = Performance Ctr, time = 20957156069 True 1
Fn
Get Time type = Performance Ctr, time = 21203702734 True 1
Fn
Get Time type = Performance Ctr, time = 21318124426 True 1
Fn
Get Time type = Performance Ctr, time = 21515786057 True 1
Fn
Get Time type = Performance Ctr, time = 21591123256 True 1
Fn
Get Info type = Hardware Information True 2
Fn
Mutex (1225)
»
Operation Additional Information Success Count Logfile
Open mutex_name = MX-zzbdrimp, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Release mutex_name = MX-zzbdrimp True 1224
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Debug (2)
»
Operation Process Additional Information Success Count Logfile
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\hr-HR\bootmgr.exe.mui True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\en-GB\bootmgr.exe.mui True 1
Fn
Process #17: zzbdrimp5619.exe
683 0
»
Information Value
ID #17
File Name c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe
Command Line C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:01:46, Reason: Child Process
Unmonitor End Time: 00:02:03, Reason: Self Terminated
Monitor Duration 00:00:17
OS Process Information
»
Information Value
PID 0x83c
Parent PID 0x4e4 (c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F7C
0x 4A4
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Boot\ro-RO\bootmgr.exe.mui.locked 74.49 KB MD5: 24221727da85ae61468b1618b052444a
SHA1: 33d1f625a7b3703bcd2ca0ba14b9e09921bd8554
SHA256: 97d17287f1e052028beb2bcc27aee9cdcd523c2ef0f7ad8fb87264b7cfe079bc
SSDeep: 1536:AWKaG3fl0ZVnBvZZNlscRC1NqFbMYCJAkOK8n8fB8uf:TPwWZVNRRy2bdCJAkdRfB/f 		False
...
C:\Boot\cs-CZ\bootmgr.exe.mui.locked 74.98 KB MD5: fe6b72d5ade0e80ba20c8f56378e97a0
SHA1: c4f0b15253acd0da0f3c1710c1623e5b6def420e
SHA256: 1700513fe0cf2342f9ce9d7dd47de793aa5293cad9b1ac241c159c8d6ba33bcb
SSDeep: 1536:np/L7Dj3bc4NPzjzjChuKbDCBVHLJ1fedR3eikB:pj7X3bfN7jBKbYVHCeX 		False
...
C:\Boot\lv-LV\bootmgr.exe.mui.locked 73.98 KB MD5: 1f6197bde26f0b2fb1b4521acb761a48
SHA1: f87920eb7805349aced4f2d55ace0d29e6354173
SHA256: 6bc4d44ad897344e5d1094aec6cc730e945e6927253e35687a033f7c2a3f456a
SSDeep: 1536:Om9CVcFwRMpUen4rJdFKWXsu8MB2mv0zSkME/KV5+ZBBotcdg/Nu8nsuC:O7VwqMpUen4rJdFKfccmv7NV5KB1d8uT 		False
...
C:\Boot\qps-ploc\bootmgr.exe.mui.locked 72.49 KB MD5: 4bc76ae36fc92e3045a8b53904f35bd2
SHA1: fce94696aa59d5205315327815cbbab70b1da2d9
SHA256: 0c0bdf1afda557cad792cc248eb1b4e43a72b80a3bf3c5da1eaf423059885dbc
SSDeep: 1536:BkSkZutbw8JfrBlpNLLVKkzQlepF3f6h+84mhIuFMsY0n:vkZ+co7plLQkclQFv6hx4CFWc 		False
...
C:\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx.locked 68.14 KB MD5: 4d757e6df9852062ede2ccc3999dd7f2
SHA1: 643fd378a0c491fc3360be70b5d1dd147be804cf
SHA256: 3a03cecb324b6b160b897fb42c9c800d7dff71d2f1f3fea35fc7fe640ca7a6d3
SSDeep: 1536:83CTAd3U3au7imkKxThrq7uK8DObs+I49cRqgLFln:8STAdQ7kAThIADOb+49czFln 		False
...
Host Behavior
File (58)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Boot\cs-CZ\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\cs-CZ\bootmgr.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\Boot\ro-RO\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\ro-RO\bootmgr.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\Boot\lv-LV\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\lv-LV\bootmgr.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\Boot\qps-ploc\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\qps-ploc\bootmgr.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx.locked type = file_attributes False 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Open \??\\C:\Boot\cs-CZ\bootmgr.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\ro-RO\bootmgr.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\lv-LV\bootmgr.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\qps-ploc\bootmgr.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open Mapping SM-zzbdrimp desired_access = FILE_MAP_COPY, FILE_MAP_WRITE True 1
Fn
Move C:\Boot\cs-CZ\bootmgr.exe.mui.locked source_filename = C:\Boot\cs-CZ\bootmgr.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\ro-RO\bootmgr.exe.mui.locked source_filename = C:\Boot\ro-RO\bootmgr.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\lv-LV\bootmgr.exe.mui.locked source_filename = C:\Boot\lv-LV\bootmgr.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\qps-ploc\bootmgr.exe.mui.locked source_filename = C:\Boot\qps-ploc\bootmgr.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx.locked source_filename = C:\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Read \??\\C:\Boot\cs-CZ\bootmgr.exe.mui.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Boot\cs-CZ\bootmgr.exe.mui.locked size = 11096, size_out = 11096 True 1
Fn
Data
Read \??\\C:\Boot\ro-RO\bootmgr.exe.mui.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Boot\ro-RO\bootmgr.exe.mui.locked size = 10592, size_out = 10592 True 1
Fn
Data
Read \??\\C:\Boot\lv-LV\bootmgr.exe.mui.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Boot\lv-LV\bootmgr.exe.mui.locked size = 10072, size_out = 10072 True 1
Fn
Data
Read \??\\C:\Boot\qps-ploc\bootmgr.exe.mui.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Boot\qps-ploc\bootmgr.exe.mui.locked size = 8544, size_out = 8544 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx.locked size = 4096, size_out = 4096 True 1
Fn
Data
Write \??\\C:\Boot\cs-CZ\bootmgr.exe.mui.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\cs-CZ\bootmgr.exe.mui.locked offset = 65536, size = 11100 True 1
Fn
Data
Write \??\\C:\Boot\cs-CZ\bootmgr.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\ro-RO\bootmgr.exe.mui.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\ro-RO\bootmgr.exe.mui.locked offset = 65536, size = 10596 True 1
Fn
Data
Write \??\\C:\Boot\ro-RO\bootmgr.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\lv-LV\bootmgr.exe.mui.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\lv-LV\bootmgr.exe.mui.locked offset = 65536, size = 10076 True 1
Fn
Data
Write \??\\C:\Boot\lv-LV\bootmgr.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\qps-ploc\bootmgr.exe.mui.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\qps-ploc\bootmgr.exe.mui.locked offset = 65536, size = 8548 True 1
Fn
Data
Write \??\\C:\Boot\qps-ploc\bootmgr.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx.locked offset = 65536, size = 4100 True 1
Fn
Data
Module (80)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load Rstrtmgr.dll base_address = 0x744f0000 True 1
Fn
Load ntdll.dll base_address = 0x77bb0000 True 1
Fn
Load api-ms-win-core-sysinfo-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load api-ms-win-appmodel-runtime-l1-1-1 base_address = 0x75ba0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75e90000 True 3
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77bb0000 True 1
Fn
Get Handle c:\users\fd1hvy\appdata\local\temp\zzbdr base_address = 0x11a0000 True 2
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename - process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, file_name_orig = C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsAlloc, address_out = 0x74f9bea0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsSetValue, address_out = 0x74f92550 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = InitializeCriticalSectionEx, address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsGetValue, address_out = 0x74f870c0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f7ed00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75ea4ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75ea4b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75ea4b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75ea4b40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75efebc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitOnceExecuteOnce, address_out = 0x74f95550 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x75efeb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x75efeb90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x75efeb80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75ea6d30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x77bfd7c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x77bfb740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75ea6d70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x77bfc0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x77bfbe10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77c22b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77c152f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x75ea4510 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x74f9e260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75ea0db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleEx, address_out = 0x75ea43d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandle, address_out = 0x75eff110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x75eff1e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeConditionVariable, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WakeConditionVariable, address_out = 0x77c88c50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll address_out = 0x77c18a90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableCS, address_out = 0x7500fca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSRWLock, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AcquireSRWLockExclusive, address_out = 0x77bf58e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TryAcquireSRWLockExclusive, address_out = 0x77c72ce0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseSRWLockExclusive, address_out = 0x77bf83a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableSRW, address_out = 0x7500fcf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWork, address_out = 0x75ea6db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SubmitThreadpoolWork, address_out = 0x77bfeb00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWork, address_out = 0x77bfed50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x75ea7050 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x75ea7190 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x75ea7480 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateHardLinkW, address_out = 0x75ea44f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySection, address_out = 0x77c22220 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmStartSession, address_out = 0x744f7930 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmRegisterResources, address_out = 0x744f7660 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmGetList, address_out = 0x744f74f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtOpenFile, address_out = 0x77c22040 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtClose, address_out = 0x77c21de0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtReadFile, address_out = 0x77c21d50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtWriteFile, address_out = 0x77c21d70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitUnicodeString, address_out = 0x77c242f0 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x74f6b830 True 1
Fn
Get Address c:\windows\syswow64\kernel.appcore.dll function = GetCurrentPackageId, address_out = 0x75ba3510 True 1
Fn
Map SM-zzbdrimp process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, desired_access = FILE_MAP_WRITE True 1
Fn
User (5)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
Lookup Privilege privilege = SeRestorePrivilege, luid = 18 True 1
Fn
Lookup Privilege privilege = SeLockMemoryPrivilege, luid = 4 True 1
Fn
Lookup Privilege privilege = SeCreateGlobalPrivilege, luid = 30 True 1
Fn
System (33)
»
Operation Additional Information Success Count Logfile
Get Time type = Performance Ctr, time = 19864918950 True 1
Fn
Get Time type = Performance Ctr, time = 20006310074 True 1
Fn
Get Time type = System Time True 15
Fn
Get Time type = Performance Ctr, time = 20011394845 True 1
Fn
Get Time type = Performance Ctr, time = 20130977903 True 1
Fn
Get Time type = Performance Ctr, time = 20151442200 True 1
Fn
Get Time type = Performance Ctr, time = 20253664554 True 1
Fn
Get Time type = Performance Ctr, time = 20269629387 True 1
Fn
Get Time type = Performance Ctr, time = 20363858432 True 1
Fn
Get Time type = Performance Ctr, time = 20375914770 True 1
Fn
Get Time type = Performance Ctr, time = 20451105394 True 1
Fn
Get Time type = Performance Ctr, time = 20529605970 True 1
Fn
Get Time type = Performance Ctr, time = 20765793916 True 1
Fn
Get Time type = Performance Ctr, time = 20856929086 True 1
Fn
Get Time type = Performance Ctr, time = 21025046439 True 1
Fn
Get Time type = Performance Ctr, time = 21176364435 True 1
Fn
Get Time type = Performance Ctr, time = 21261124685 True 1
Fn
Get Info type = Hardware Information True 2
Fn
Mutex (489)
»
Operation Additional Information Success Count Logfile
Open mutex_name = MX-zzbdrimp, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Release mutex_name = MX-zzbdrimp True 488
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Debug (4)
»
Operation Process Additional Information Success Count Logfile
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\cs-CZ\bootmgr.exe.mui True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\ro-RO\bootmgr.exe.mui True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\lv-LV\bootmgr.exe.mui True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\qps-ploc\bootmgr.exe.mui True 1
Fn
Process #18: zzbdrimp5619.exe
669 0
»
Information Value
ID #18
File Name c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe
Command Line C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:01:59, Reason: Child Process
Unmonitor End Time: 00:02:15, Reason: Self Terminated
Monitor Duration 00:00:15
OS Process Information
»
Information Value
PID 0x714
Parent PID 0x4e4 (c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F60
0x 824
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Logs\Microsoft-Windows-Known Folders API Service.evtx.locked 68.14 KB MD5: 5a2a9923e4dc4fa2253d248093b8cf00
SHA1: 10fba45c38e2310923c004248450bacfeaa948db
SHA256: f09545ee411b12c64036bc8e4e52402b35d6fcd52e9a77d980ab1c9cb4514f41
SSDeep: 1536:lLmxRrYL/5Yhs40dC4iP4v/u44kLGV5Rj2gUKc1zWyBf5Vxr:46WhwdC4iP4Hu445Vfj2drHBfl 		False
...
C:\Logs\Microsoft-Windows-MUI%4Admin.evtx.locked 68.14 KB MD5: 310b14d2d841224d1467bf90001f08e6
SHA1: 9ea3c2f08f6f465ee2b782229b1837e70614d294
SHA256: 69ca342f973677f7f3eb1c1d2d4dac34e596d4aae79f13cea379e9ad57c766c3
SSDeep: 1536:QqATwebYlwPuHKM1AJ7RvYwhAu+1sMBorTnsGfJ+F:QhslEM1ALv3GuQu8s8F 		False
...
C:\Logs\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.locked 68.14 KB MD5: 7cebe15e363c3329ecb8e17d6dc7e88f
SHA1: 4a7511accf1acdcd98bc93d57ae4f2f5f5914ff1
SHA256: 45737a9ca9c256b22bfb9141d69ad2166169067ef29c75a26716b5978d7d9fd2
SSDeep: 1536:n5OBD5FCUwXGdCTB07JbMT1lvpBJJNQAp8IiWY4ZGdiUfTkWSp/vTmQM:nopW24TKJbMBlLJb9PZYi+TVR 		False
...
C:\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.locked 68.14 KB MD5: 0343920b300ccd5d025f1680ec249e07
SHA1: fa4dd853a323b4f0e614d21a2c15349b30bc601e
SHA256: 6c010a8c105a95501d14ef5db9d04b62485f433313e87104060d95ef96ab8246
SSDeep: 1536:TArEQrEtvDNwdOc5X4Y/Dk5kvfHFOm6+GAYN9FKqm89t7zA:0rEtbNw/bCkFwTjFKl8r7zA 		False
...
C:\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx.locked 68.14 KB MD5: d3d8c0d5c2f5e3bfe47b503a59141edd
SHA1: c4035492cf8f47f1a98abb9d65f6125c3c529e72
SHA256: d02eb2ee9b83e8324fd3383c614c1b6648345101455a6652fa2d562fe01ca780
SSDeep: 1536:0Nb5zf6s4kjAxg37N59+KiG8Hs5fdZPFp8fBYDomvN:mdzf6x/xg37N59+T/mdeWP 		False
...
Host Behavior
File (58)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Logs\Microsoft-Windows-MUI%4Admin.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-MUI%4Admin.evtx.locked type = file_attributes False 1
Fn
Get Info C:\Logs\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.locked type = file_attributes False 1
Fn
Get Info C:\Logs\Microsoft-Windows-Known Folders API Service.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-Known Folders API Service.evtx.locked type = file_attributes False 1
Fn
Get Info C:\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.locked type = file_attributes False 1
Fn
Get Info C:\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx.locked type = file_attributes False 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Open \??\\C:\Logs\Microsoft-Windows-MUI%4Admin.evtx.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Logs\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Logs\Microsoft-Windows-Known Folders API Service.evtx.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open Mapping SM-zzbdrimp desired_access = FILE_MAP_COPY, FILE_MAP_WRITE True 1
Fn
Move C:\Logs\Microsoft-Windows-MUI%4Admin.evtx.locked source_filename = C:\Logs\Microsoft-Windows-MUI%4Admin.evtx, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Logs\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.locked source_filename = C:\Logs\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Logs\Microsoft-Windows-Known Folders API Service.evtx.locked source_filename = C:\Logs\Microsoft-Windows-Known Folders API Service.evtx, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.locked source_filename = C:\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx.locked source_filename = C:\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Read \??\\C:\Logs\Microsoft-Windows-MUI%4Admin.evtx.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-MUI%4Admin.evtx.locked size = 4096, size_out = 4096 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.locked size = 4096, size_out = 4096 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-Known Folders API Service.evtx.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-Known Folders API Service.evtx.locked size = 4096, size_out = 4096 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.locked size = 4096, size_out = 4096 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx.locked size = 4096, size_out = 4096 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-MUI%4Admin.evtx.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-MUI%4Admin.evtx.locked offset = 65536, size = 4100 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-MUI%4Admin.evtx.locked size = 144 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.locked offset = 65536, size = 4100 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.locked size = 144 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-Known Folders API Service.evtx.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-Known Folders API Service.evtx.locked offset = 65536, size = 4100 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-Known Folders API Service.evtx.locked size = 144 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.locked offset = 65536, size = 4100 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.locked size = 144 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx.locked offset = 65536, size = 4100 True 1
Fn
Data
Module (80)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load Rstrtmgr.dll base_address = 0x744f0000 True 1
Fn
Load ntdll.dll base_address = 0x77bb0000 True 1
Fn
Load api-ms-win-core-sysinfo-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load api-ms-win-appmodel-runtime-l1-1-1 base_address = 0x75ba0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75e90000 True 3
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77bb0000 True 1
Fn
Get Handle c:\users\fd1hvy\appdata\local\temp\zzbdr base_address = 0x11a0000 True 2
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename - process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, file_name_orig = C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsAlloc, address_out = 0x74f9bea0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsSetValue, address_out = 0x74f92550 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = InitializeCriticalSectionEx, address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsGetValue, address_out = 0x74f870c0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f7ed00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75ea4ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75ea4b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75ea4b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75ea4b40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75efebc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitOnceExecuteOnce, address_out = 0x74f95550 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x75efeb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x75efeb90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x75efeb80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75ea6d30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x77bfd7c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x77bfb740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75ea6d70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x77bfc0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x77bfbe10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77c22b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77c152f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x75ea4510 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x74f9e260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75ea0db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleEx, address_out = 0x75ea43d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandle, address_out = 0x75eff110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x75eff1e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeConditionVariable, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WakeConditionVariable, address_out = 0x77c88c50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll address_out = 0x77c18a90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableCS, address_out = 0x7500fca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSRWLock, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AcquireSRWLockExclusive, address_out = 0x77bf58e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TryAcquireSRWLockExclusive, address_out = 0x77c72ce0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseSRWLockExclusive, address_out = 0x77bf83a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableSRW, address_out = 0x7500fcf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWork, address_out = 0x75ea6db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SubmitThreadpoolWork, address_out = 0x77bfeb00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWork, address_out = 0x77bfed50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x75ea7050 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x75ea7190 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x75ea7480 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateHardLinkW, address_out = 0x75ea44f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySection, address_out = 0x77c22220 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmStartSession, address_out = 0x744f7930 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmRegisterResources, address_out = 0x744f7660 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmGetList, address_out = 0x744f74f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtOpenFile, address_out = 0x77c22040 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtClose, address_out = 0x77c21de0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtReadFile, address_out = 0x77c21d50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtWriteFile, address_out = 0x77c21d70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitUnicodeString, address_out = 0x77c242f0 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x74f6b830 True 1
Fn
Get Address c:\windows\syswow64\kernel.appcore.dll function = GetCurrentPackageId, address_out = 0x75ba3510 True 1
Fn
Map SM-zzbdrimp process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, desired_access = FILE_MAP_WRITE True 1
Fn
User (5)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
Lookup Privilege privilege = SeRestorePrivilege, luid = 18 True 1
Fn
Lookup Privilege privilege = SeLockMemoryPrivilege, luid = 4 True 1
Fn
Lookup Privilege privilege = SeCreateGlobalPrivilege, luid = 30 True 1
Fn
System (33)
»
Operation Additional Information Success Count Logfile
Get Time type = Performance Ctr, time = 21282758390 True 1
Fn
Get Time type = Performance Ctr, time = 21402368149 True 1
Fn
Get Time type = System Time True 15
Fn
Get Time type = Performance Ctr, time = 21406242345 True 1
Fn
Get Time type = Performance Ctr, time = 21451944446 True 1
Fn
Get Time type = Performance Ctr, time = 21481491415 True 1
Fn
Get Time type = Performance Ctr, time = 21529468466 True 1
Fn
Get Time type = Performance Ctr, time = 21562639985 True 1
Fn
Get Time type = Performance Ctr, time = 21610817698 True 1
Fn
Get Time type = Performance Ctr, time = 21630159553 True 1
Fn
Get Time type = Performance Ctr, time = 21691065928 True 1
Fn
Get Time type = Performance Ctr, time = 21851390168 True 1
Fn
Get Time type = Performance Ctr, time = 21931781852 True 1
Fn
Get Time type = Performance Ctr, time = 22031574455 True 1
Fn
Get Time type = Performance Ctr, time = 22239328110 True 1
Fn
Get Time type = Performance Ctr, time = 22395073066 True 1
Fn
Get Time type = Performance Ctr, time = 22490484903 True 1
Fn
Get Info type = Hardware Information True 2
Fn
Mutex (475)
»
Operation Additional Information Success Count Logfile
Open mutex_name = MX-zzbdrimp, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Release mutex_name = MX-zzbdrimp True 474
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Debug (4)
»
Operation Process Additional Information Success Count Logfile
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Logs\Microsoft-Windows-MUI%4Admin.evtx True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Logs\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Logs\Microsoft-Windows-Known Folders API Service.evtx True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx True 1
Fn
Process #19: zzbdrimp5619.exe
1209 0
»
Information Value
ID #19
File Name c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe
Command Line C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:02:01, Reason: Child Process
Unmonitor End Time: 00:02:17, Reason: Self Terminated
Monitor Duration 00:00:15
OS Process Information
»
Information Value
PID 0xd54
Parent PID 0x4e4 (c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 270
0x 2E8
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Logs\Microsoft-Windows-Kernel-WHEA%4Errors.evtx.locked 68.14 KB MD5: 55832d772cf0bcecfd6edf2935ae4ce0
SHA1: 87456d45c176381a5aaeb89cd7f7eb9bf3a7b5f3
SHA256: 80b84c85414eba1ca0b8c2c783004bcb9f0a83fb8d79bf204c9138e0c1f397e5
SSDeep: 1536:pMlNUsL/JYtVmDGAi3VdQybMgqWhge5oFJJtWT12hQqVOM0W1dEhwoYOVH38o8H0:GlNUsLBYtVgGvXQhgt6e5OD0T1qjVOMa 		False
...
C:\Logs\Microsoft-Windows-International%4Operational.evtx.locked 68.14 KB MD5: 82598d4521c8c7a0b0556d28ea1d0dd3
SHA1: 1d2bc5564dff247ba3ed22285f06f37cd474714e
SHA256: 8e11af9b6eeea50ba00643789d4c21437e58f4d56d60d67b527a2298032fff64
SSDeep: 1536:QP7FIULW0waBo0C/E9n7pJPnjP58WZevz19qafl9CJkuWEd:QzFIULW0waJ0Ed7pJntjyrRl9GNjd 		False
...
C:\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.locked 68.14 KB MD5: 6844ee31d72c1dbf181e1db670c02a87
SHA1: 90b9a634247d858ad586bc665324a7af7dd839a7
SHA256: f7f90765fc63fe0736948cdaab1881c4b5104a7c60afa2f23f3bbea2bb38a9dd
SSDeep: 1536:D41frGaBGQs0QKmJwSr1B95teALnuTuj4Xfuwl/WoCFxF1:MFZBGQoKyz1NtPL14vubdx1 		False
...
C:\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx.locked 68.14 KB MD5: e079cbb96384904dfb661222cbb28d82
SHA1: 5e3e258fc415c850c8ff4723635823831550f84a
SHA256: eaf9210aa7a87f1ff597aa41d3c70b8e89f110c47b94b18cc09440d51453413d
SSDeep: 1536:PkNol4BaRegV9YX7/yvLelpmORRIudov2GYlCsVaGlc4uKYJAR/ex:sNhBLgVu1frj6vtYhVaeGKYeR/0 		False
...
C:\Logs\Microsoft-Windows-DeviceSetupManager%4Admin.evtx.locked 68.14 KB MD5: 85a1bd12fc696139707bc709a66900ae
SHA1: e5b5f2f296b836bd62da3a897965488649556846
SHA256: f229fdcaf2b2b318a738b19fbadbfa794e78bc863fc33580da156cae2f19fc30
SSDeep: 1536:i+LhwQSRFYfBk5tEcnnEbAAGTpF3Atmprqv9wXbczpsNMCxG4P:i/QSR6oWon/r19liLKNMO 		False
...
C:\Logs\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx.locked 68.14 KB MD5: f97acc3a49a4d5ff91fa4c1024dae84d
SHA1: 08927b8c2fcc0fa5f7a64e6389a6a7a12092439f
SHA256: e17a75b9122e90981339c11b7b65f909d2e103bb9a18ba08e53c5bdcf8427ce6
SSDeep: 1536:490IFMk4EvQT3vHA1Gs0i77+tp737XWIkczUvYH:y0IP41T3vHV3tp73iIJ/H 		False
...
Host Behavior
File (66)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Logs\Microsoft-Windows-Kernel-WHEA%4Errors.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-Kernel-WHEA%4Errors.evtx.locked type = file_attributes False 1
Fn
Get Info C:\Logs\Microsoft-Windows-International%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-International%4Operational.evtx.locked type = file_attributes False 1
Fn
Get Info C:\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.locked type = file_attributes False 1
Fn
Get Info C:\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx.locked type = file_attributes False 1
Fn
Get Info C:\Logs\Microsoft-Windows-DeviceSetupManager%4Admin.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-DeviceSetupManager%4Admin.evtx.locked type = file_attributes False 1
Fn
Get Info C:\Logs\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx.locked type = file_attributes False 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Open \??\\C:\Logs\Microsoft-Windows-Kernel-WHEA%4Errors.evtx.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Logs\Microsoft-Windows-International%4Operational.evtx.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Logs\Microsoft-Windows-DeviceSetupManager%4Admin.evtx.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Logs\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open Mapping SM-zzbdrimp desired_access = FILE_MAP_COPY, FILE_MAP_WRITE True 1
Fn
Move C:\Logs\Microsoft-Windows-Kernel-WHEA%4Errors.evtx.locked source_filename = C:\Logs\Microsoft-Windows-Kernel-WHEA%4Errors.evtx, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Logs\Microsoft-Windows-International%4Operational.evtx.locked source_filename = C:\Logs\Microsoft-Windows-International%4Operational.evtx, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.locked source_filename = C:\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx.locked source_filename = C:\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Logs\Microsoft-Windows-DeviceSetupManager%4Admin.evtx.locked source_filename = C:\Logs\Microsoft-Windows-DeviceSetupManager%4Admin.evtx, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Logs\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx.locked source_filename = C:\Logs\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Read \??\\C:\Logs\Microsoft-Windows-Kernel-WHEA%4Errors.evtx.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-Kernel-WHEA%4Errors.evtx.locked size = 4096, size_out = 4096 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-International%4Operational.evtx.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-International%4Operational.evtx.locked size = 4096, size_out = 4096 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.locked size = 4096, size_out = 4096 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx.locked size = 4096, size_out = 4096 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-DeviceSetupManager%4Admin.evtx.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-DeviceSetupManager%4Admin.evtx.locked size = 4096, size_out = 4096 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx.locked size = 65536, size_out = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-Kernel-WHEA%4Errors.evtx.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-Kernel-WHEA%4Errors.evtx.locked offset = 65536, size = 4100 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-Kernel-WHEA%4Errors.evtx.locked size = 144 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-International%4Operational.evtx.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-International%4Operational.evtx.locked offset = 65536, size = 4100 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-International%4Operational.evtx.locked size = 144 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.locked offset = 65536, size = 4100 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.locked size = 144 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx.locked offset = 65536, size = 4100 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx.locked size = 144 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-DeviceSetupManager%4Admin.evtx.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-DeviceSetupManager%4Admin.evtx.locked offset = 65536, size = 4100 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-DeviceSetupManager%4Admin.evtx.locked size = 144 True 1
Fn
Data
Module (80)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load Rstrtmgr.dll base_address = 0x744f0000 True 1
Fn
Load ntdll.dll base_address = 0x77bb0000 True 1
Fn
Load api-ms-win-core-sysinfo-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load api-ms-win-appmodel-runtime-l1-1-1 base_address = 0x75ba0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75e90000 True 3
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77bb0000 True 1
Fn
Get Handle c:\users\fd1hvy\appdata\local\temp\zzbdr base_address = 0x11a0000 True 2
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename - process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, file_name_orig = C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsAlloc, address_out = 0x74f9bea0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsSetValue, address_out = 0x74f92550 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = InitializeCriticalSectionEx, address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsGetValue, address_out = 0x74f870c0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f7ed00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75ea4ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75ea4b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75ea4b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75ea4b40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75efebc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitOnceExecuteOnce, address_out = 0x74f95550 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x75efeb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x75efeb90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x75efeb80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75ea6d30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x77bfd7c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x77bfb740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75ea6d70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x77bfc0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x77bfbe10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77c22b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77c152f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x75ea4510 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x74f9e260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75ea0db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleEx, address_out = 0x75ea43d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandle, address_out = 0x75eff110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x75eff1e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeConditionVariable, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WakeConditionVariable, address_out = 0x77c88c50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll address_out = 0x77c18a90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableCS, address_out = 0x7500fca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSRWLock, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AcquireSRWLockExclusive, address_out = 0x77bf58e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TryAcquireSRWLockExclusive, address_out = 0x77c72ce0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseSRWLockExclusive, address_out = 0x77bf83a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableSRW, address_out = 0x7500fcf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWork, address_out = 0x75ea6db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SubmitThreadpoolWork, address_out = 0x77bfeb00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWork, address_out = 0x77bfed50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x75ea7050 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x75ea7190 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x75ea7480 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateHardLinkW, address_out = 0x75ea44f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySection, address_out = 0x77c22220 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmStartSession, address_out = 0x744f7930 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmRegisterResources, address_out = 0x744f7660 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmGetList, address_out = 0x744f74f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtOpenFile, address_out = 0x77c22040 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtClose, address_out = 0x77c21de0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtReadFile, address_out = 0x77c21d50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtWriteFile, address_out = 0x77c21d70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitUnicodeString, address_out = 0x77c242f0 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x74f6b830 True 1
Fn
Get Address c:\windows\syswow64\kernel.appcore.dll function = GetCurrentPackageId, address_out = 0x75ba3510 True 1
Fn
Map SM-zzbdrimp process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, desired_access = FILE_MAP_WRITE True 1
Fn
User (5)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
Lookup Privilege privilege = SeRestorePrivilege, luid = 18 True 1
Fn
Lookup Privilege privilege = SeLockMemoryPrivilege, luid = 4 True 1
Fn
Lookup Privilege privilege = SeCreateGlobalPrivilege, luid = 30 True 1
Fn
System (35)
»
Operation Additional Information Success Count Logfile
Get Time type = Performance Ctr, time = 21422066778 True 1
Fn
Get Time type = Performance Ctr, time = 21571537053 True 1
Fn
Get Time type = System Time True 16
Fn
Get Time type = Performance Ctr, time = 21616625798 True 1
Fn
Get Time type = Performance Ctr, time = 21707418737 True 1
Fn
Get Time type = Performance Ctr, time = 21761333636 True 1
Fn
Get Time type = Performance Ctr, time = 21836399373 True 1
Fn
Get Time type = Performance Ctr, time = 21842457114 True 1
Fn
Get Time type = Performance Ctr, time = 21879199208 True 1
Fn
Get Time type = Performance Ctr, time = 21923519960 True 1
Fn
Get Time type = Performance Ctr, time = 22049088475 True 1
Fn
Get Time type = Performance Ctr, time = 22076980525 True 1
Fn
Get Time type = Performance Ctr, time = 22242781361 True 1
Fn
Get Time type = Performance Ctr, time = 22309358734 True 1
Fn
Get Time type = Performance Ctr, time = 22382027055 True 1
Fn
Get Time type = Performance Ctr, time = 22530061959 True 1
Fn
Get Time type = Performance Ctr, time = 22599681061 True 1
Fn
Get Time type = Performance Ctr, time = 22658270114 True 1
Fn
Get Info type = Hardware Information True 2
Fn
Mutex (1006)
»
Operation Additional Information Success Count Logfile
Open mutex_name = MX-zzbdrimp, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Release mutex_name = MX-zzbdrimp True 1005
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Debug (2)
»
Operation Process Additional Information Success Count Logfile
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Logs\Microsoft-Windows-Kernel-WHEA%4Errors.evtx True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx True 1
Fn
Process #20: zzbdrimp5619.exe
1464 0
»
Information Value
ID #20
File Name c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe
Command Line C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:02:02, Reason: Child Process
Unmonitor End Time: 00:02:19, Reason: Self Terminated
Monitor Duration 00:00:17
OS Process Information
»
Information Value
PID 0xcb8
Parent PID 0x4e4 (c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x D84
0x CEC
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.locked 68.14 KB MD5: b81f155db9ab8de62454ef7f2a518e8b
SHA1: 5084bdaa67972023c4a3a8f45d5ce963b92a7fed
SHA256: a87e2826c9c67669f8db8fdc466a91867d1ef07191416fef46d24cb685e14b11
SSDeep: 1536:SqNqzQmliXGnIxcq7HeEDXhHylu+LEoEVpeg3s1wSYKfpEsnYb:BN43nY7HeEDXhY2q+1fKeCe 		False
...
C:\Logs\Microsoft-Windows-HotspotAuth%4Operational.evtx.locked 68.14 KB MD5: e5cb5ffcfa15856738df9070c5175106
SHA1: d2d5164febc475b1b6b80ebbee4bedc65934cccc
SHA256: aa5a796503b768dc3471e92a9d92872e45a5c74badeab7d0b348bdfde71024e0
SSDeep: 1536:hGebDaCt4e5MtF1r4xnJQda3HdW0LASMpLO0dnY3mWJvTPzN81x7:uQ4vtfrkn0iIaKE0BYjTPzS7 		False
...
C:\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx.locked 68.14 KB MD5: cc44b06a44b48e63ce8718b3e876e839
SHA1: 9b19be25d38414c983e7d300d693fbffcf6adf31
SHA256: dc983afce30f8cb6faeb947cb0b6516013adda90ce30c83bf34fb5160d350e23
SSDeep: 1536:LEcs8xGzL93wTLU7wSgORBxU1EVpfIDO4QxmVgtwCNGQN:LEcBM13wXSg2BIDO4QxmqKCHN 		False
...
C:\Logs\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.locked 68.14 KB MD5: d1a93e73e1a31c3cdc27943746323c4f
SHA1: 24ca472caf0dafe8613ace275d8769500a6f6707
SHA256: ec9154b8408f91f637316054a1e40f0acf0e6894cce7f949c1f056929a27e679
SSDeep: 1536:hwSFFyEXQPp3GItL7q5S6yzVj1w5qxX7EWyw9K06dKC9R:hDQPsw7iSr5w5qxXgS916Tr 		False
...
C:\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx.locked 68.14 KB MD5: 1735880341cc160f3c249523f76af51e
SHA1: 8aca9ed70bdcde35fc959d2d6ac5d4e0c3906789
SHA256: ee93dd6af3924c921820629a3505cc5f46e089be0d431645eb1a0a3fd4aeeff3
SSDeep: 1536:T6pL9u/nz8vH1kpbOkKG5HvggJp45bEItji8SHKPLQqH3Qxs2L8OpAj:+ru/nIfqpbOozp4SIg8AKjQzVL8kAj 		False
...
C:\Logs\Microsoft-Windows-AppLocker%4EXE and DLL.evtx.locked 68.14 KB MD5: 9efb609b44e9fc360b38ba5b16d2de28
SHA1: 922c0f9c2aa50b5398b88f6fbede8b68063898b2
SHA256: 50ff0590e4f67adcaa5a55b8149ec26e6f8071b72afdb95898783e6d444e90e3
SSDeep: 1536:dxRw3fIkVPeMiB5qGB0wduWic8kQdJQdas/lLO8DNDiBC9Iw:NwwmPePB5ic8kQnQdbLTqC9V 		False
...
Host Behavior
File (72)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\Public\Desktop\README_LOCKED.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Get Info C:\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.locked type = file_attributes False 1
Fn
Get Info C:\Logs\Microsoft-Windows-HotspotAuth%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-HotspotAuth%4Operational.evtx.locked type = file_attributes False 1
Fn
Get Info C:\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx.locked type = file_attributes False 1
Fn
Get Info C:\Logs\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.locked type = file_attributes False 1
Fn
Get Info C:\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx.locked type = file_attributes False 1
Fn
Get Info C:\Logs\Microsoft-Windows-AppLocker%4EXE and DLL.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-AppLocker%4EXE and DLL.evtx.locked type = file_attributes False 1
Fn
Get Info C:\Users\Public\Desktop\README_LOCKED.txt type = file_type True 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Open \??\\C:\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Logs\Microsoft-Windows-HotspotAuth%4Operational.evtx.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Logs\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Logs\Microsoft-Windows-AppLocker%4EXE and DLL.evtx.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open Mapping SM-zzbdrimp desired_access = FILE_MAP_COPY, FILE_MAP_WRITE True 1
Fn
Move C:\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.locked source_filename = C:\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Logs\Microsoft-Windows-HotspotAuth%4Operational.evtx.locked source_filename = C:\Logs\Microsoft-Windows-HotspotAuth%4Operational.evtx, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx.locked source_filename = C:\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Logs\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.locked source_filename = C:\Logs\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx.locked source_filename = C:\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Logs\Microsoft-Windows-AppLocker%4EXE and DLL.evtx.locked source_filename = C:\Logs\Microsoft-Windows-AppLocker%4EXE and DLL.evtx, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Read \??\\C:\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.locked size = 4096, size_out = 4096 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-HotspotAuth%4Operational.evtx.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-HotspotAuth%4Operational.evtx.locked size = 4096, size_out = 4096 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx.locked size = 4096, size_out = 4096 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.locked size = 4096, size_out = 4096 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx.locked size = 4096, size_out = 4096 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-AppLocker%4EXE and DLL.evtx.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-AppLocker%4EXE and DLL.evtx.locked size = 4096, size_out = 4096 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.locked offset = 65536, size = 4100 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.locked size = 144 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-HotspotAuth%4Operational.evtx.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-HotspotAuth%4Operational.evtx.locked offset = 65536, size = 4100 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-HotspotAuth%4Operational.evtx.locked size = 144 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx.locked offset = 65536, size = 4100 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx.locked size = 144 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.locked offset = 65536, size = 4100 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.locked size = 144 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx.locked offset = 65536, size = 4100 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx.locked size = 144 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-AppLocker%4EXE and DLL.evtx.locked offset = 0, size = 65536 True 1
Fn
Data
Write - offset = 65536, size = 4100 True 1
Fn
Data
Write - size = 144 True 1
Fn
Data
Module (79)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load Rstrtmgr.dll base_address = 0x744f0000 True 1
Fn
Load ntdll.dll base_address = 0x77bb0000 True 1
Fn
Load api-ms-win-core-sysinfo-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load kernel32 base_address = 0x75e90000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75e90000 True 3
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77bb0000 True 1
Fn
Get Handle c:\users\fd1hvy\appdata\local\temp\zzbdr base_address = 0x11a0000 True 2
Fn
Get Filename - process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, file_name_orig = C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsAlloc, address_out = 0x74f9bea0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsSetValue, address_out = 0x74f92550 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = InitializeCriticalSectionEx, address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsGetValue, address_out = 0x74f870c0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f7ed00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75ea4ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75ea4b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75ea4b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75ea4b40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75efebc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitOnceExecuteOnce, address_out = 0x74f95550 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x75efeb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x75efeb90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x75efeb80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75ea6d30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x77bfd7c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x77bfb740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75ea6d70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x77bfc0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x77bfbe10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77c22b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77c152f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x75ea4510 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x74f9e260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75ea0db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleEx, address_out = 0x75ea43d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandle, address_out = 0x75eff110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x75eff1e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeConditionVariable, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WakeConditionVariable, address_out = 0x77c88c50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll address_out = 0x77c18a90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableCS, address_out = 0x7500fca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSRWLock, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AcquireSRWLockExclusive, address_out = 0x77bf58e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TryAcquireSRWLockExclusive, address_out = 0x77c72ce0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseSRWLockExclusive, address_out = 0x77bf83a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableSRW, address_out = 0x7500fcf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWork, address_out = 0x75ea6db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SubmitThreadpoolWork, address_out = 0x77bfeb00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWork, address_out = 0x77bfed50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x75ea7050 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x75ea7190 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x75ea7480 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateHardLinkW, address_out = 0x75ea44f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySection, address_out = 0x77c22220 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmStartSession, address_out = 0x744f7930 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmRegisterResources, address_out = 0x744f7660 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmGetList, address_out = 0x744f74f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtOpenFile, address_out = 0x77c22040 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtClose, address_out = 0x77c21de0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtReadFile, address_out = 0x77c21d50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtWriteFile, address_out = 0x77c21d70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitUnicodeString, address_out = 0x77c242f0 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x74f6b830 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AreFileApisANSI, address_out = 0x75ea4280 True 1
Fn
Map SM-zzbdrimp process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, desired_access = FILE_MAP_WRITE True 1
Fn
User (5)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
Lookup Privilege privilege = SeRestorePrivilege, luid = 18 True 1
Fn
Lookup Privilege privilege = SeLockMemoryPrivilege, luid = 4 True 1
Fn
Lookup Privilege privilege = SeCreateGlobalPrivilege, luid = 30 True 1
Fn
System (37)
»
Operation Additional Information Success Count Logfile
Get Time type = Performance Ctr, time = 21535905426 True 1
Fn
Get Time type = Performance Ctr, time = 21662214669 True 1
Fn
Get Time type = System Time True 17
Fn
Get Time type = Performance Ctr, time = 21686014031 True 1
Fn
Get Time type = Performance Ctr, time = 21786410630 True 1
Fn
Get Time type = Performance Ctr, time = 21812499730 True 1
Fn
Get Time type = Performance Ctr, time = 21904174992 True 1
Fn
Get Time type = Performance Ctr, time = 21943079981 True 1
Fn
Get Time type = Performance Ctr, time = 22039634724 True 1
Fn
Get Time type = Performance Ctr, time = 22059994653 True 1
Fn
Get Time type = Performance Ctr, time = 22245617621 True 1
Fn
Get Time type = Performance Ctr, time = 22278708420 True 1
Fn
Get Time type = Performance Ctr, time = 22404131005 True 1
Fn
Get Time type = Performance Ctr, time = 22539111847 True 1
Fn
Get Time type = Performance Ctr, time = 22608787897 True 1
Fn
Get Time type = Performance Ctr, time = 22718668081 True 1
Fn
Get Time type = Performance Ctr, time = 22792707670 True 1
Fn
Get Time type = Performance Ctr, time = 22858132523 True 1
Fn
Get Time type = Performance Ctr, time = 22890029799 True 1
Fn
Get Info type = Hardware Information True 2
Fn
Mutex (1254)
»
Operation Additional Information Success Count Logfile
Open mutex_name = MX-zzbdrimp, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Release mutex_name = MX-zzbdrimp True 1253
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Debug (1)
»
Operation Process Additional Information Success Count Logfile
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx True 1
Fn
Process #21: zzbdrimp5619.exe
905 0
»
Information Value
ID #21
File Name c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe
Command Line C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:02:04, Reason: Child Process
Unmonitor End Time: 00:02:19, Reason: Self Terminated
Monitor Duration 00:00:14
OS Process Information
»
Information Value
PID 0x9b4
Parent PID 0x4e4 (c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F70
0x 7F0
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Logs\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.locked 68.14 KB MD5: bbe6d041077ed963416dbdd0a7779d9a
SHA1: 5a35def0dd96a8192447a93bcbd66a6dd019147b
SHA256: ca769f5db6c8bb902fb8907ecf249d8aa027db60ae7e41317791b77cce95d89f
SSDeep: 1536:QCDM+3WreNDBi95jiALNDnEN9q07n3YLy3doIelP:QSlBM7HLNDEN9q0r0y2Iep 		False
...
C:\Logs\Microsoft-Windows-Dhcp-Client%4Admin.evtx.locked 68.14 KB MD5: 0f90a22945438c84d947a286d9538d78
SHA1: 42f59a6e001a221850c703eb8e445a39b8cea0cb
SHA256: 02766aab0a4a67cf02925cc1e09631410cd51413e6474e36060f580b10454859
SSDeep: 1536:blXRJvJ7/LROTVNmcqjyequa/ep9wZ4ygBQOJmg91Xk2Xne:BXRRV/Levlv+9yYBQGF9o 		False
...
C:\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.locked 68.14 KB MD5: 74caa354269294387e4638121a7d4729
SHA1: ffd800ef4b9ba91c15e445c705541c334609ed2f
SHA256: a8ef0a2167372975fa08cf3341659d6c440dbdd0517b3721ba925210713d2300
SSDeep: 1536:3PA3r/LGszODg7YZAOwksZpGgg6bwOgFAZQZNOmPWTs9sbezSFh:fA3r/L9N7KUl8VrOmP/Obz7 		False
...
Host Behavior
File (36)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Logs\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.locked type = file_attributes False 1
Fn
Get Info C:\Logs\Microsoft-Windows-Dhcp-Client%4Admin.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-Dhcp-Client%4Admin.evtx.locked type = file_attributes False 1
Fn
Get Info C:\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.locked type = file_attributes False 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Open \??\\C:\Logs\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Logs\Microsoft-Windows-Dhcp-Client%4Admin.evtx.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open Mapping SM-zzbdrimp desired_access = FILE_MAP_COPY, FILE_MAP_WRITE True 1
Fn
Move C:\Logs\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.locked source_filename = C:\Logs\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Logs\Microsoft-Windows-Dhcp-Client%4Admin.evtx.locked source_filename = C:\Logs\Microsoft-Windows-Dhcp-Client%4Admin.evtx, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.locked source_filename = C:\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Read \??\\C:\Logs\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.locked size = 4096, size_out = 4096 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-Dhcp-Client%4Admin.evtx.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-Dhcp-Client%4Admin.evtx.locked size = 4096, size_out = 4096 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.locked size = 4096, size_out = 4096 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.locked offset = 65536, size = 4100 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.locked size = 144 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-Dhcp-Client%4Admin.evtx.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-Dhcp-Client%4Admin.evtx.locked offset = 65536, size = 4100 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-Dhcp-Client%4Admin.evtx.locked size = 144 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.locked offset = 65536, size = 4100 True 1
Fn
Data
Module (71)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load ntdll.dll base_address = 0x77bb0000 True 1
Fn
Load api-ms-win-core-sysinfo-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75e90000 True 3
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77bb0000 True 1
Fn
Get Filename - process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, file_name_orig = C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsAlloc, address_out = 0x74f9bea0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsSetValue, address_out = 0x74f92550 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = InitializeCriticalSectionEx, address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsGetValue, address_out = 0x74f870c0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f7ed00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75ea4ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75ea4b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75ea4b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75ea4b40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75efebc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitOnceExecuteOnce, address_out = 0x74f95550 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x75efeb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x75efeb90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x75efeb80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75ea6d30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x77bfd7c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x77bfb740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75ea6d70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x77bfc0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x77bfbe10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77c22b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77c152f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x75ea4510 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x74f9e260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75ea0db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleEx, address_out = 0x75ea43d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandle, address_out = 0x75eff110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x75eff1e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeConditionVariable, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WakeConditionVariable, address_out = 0x77c88c50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll address_out = 0x77c18a90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableCS, address_out = 0x7500fca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSRWLock, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AcquireSRWLockExclusive, address_out = 0x77bf58e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TryAcquireSRWLockExclusive, address_out = 0x77c72ce0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseSRWLockExclusive, address_out = 0x77bf83a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableSRW, address_out = 0x7500fcf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWork, address_out = 0x75ea6db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SubmitThreadpoolWork, address_out = 0x77bfeb00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWork, address_out = 0x77bfed50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x75ea7050 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x75ea7190 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x75ea7480 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateHardLinkW, address_out = 0x75ea44f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySection, address_out = 0x77c22220 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtOpenFile, address_out = 0x77c22040 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtClose, address_out = 0x77c21de0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtReadFile, address_out = 0x77c21d50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtWriteFile, address_out = 0x77c21d70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitUnicodeString, address_out = 0x77c242f0 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x74f6b830 True 1
Fn
Map SM-zzbdrimp process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, desired_access = FILE_MAP_WRITE True 1
Fn
User (5)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
Lookup Privilege privilege = SeRestorePrivilege, luid = 18 True 1
Fn
Lookup Privilege privilege = SeLockMemoryPrivilege, luid = 4 True 1
Fn
Lookup Privilege privilege = SeCreateGlobalPrivilege, luid = 30 True 1
Fn
System (31)
»
Operation Additional Information Success Count Logfile
Get Time type = Performance Ctr, time = 21727125980 True 1
Fn
Get Time type = Performance Ctr, time = 21819730514 True 1
Fn
Get Time type = System Time True 14
Fn
Get Time type = Performance Ctr, time = 21869781160 True 1
Fn
Get Time type = Performance Ctr, time = 21955098030 True 1
Fn
Get Time type = Performance Ctr, time = 21966917373 True 1
Fn
Get Time type = Performance Ctr, time = 22045322533 True 1
Fn
Get Time type = Performance Ctr, time = 22051191215 True 1
Fn
Get Time type = Performance Ctr, time = 22247248094 True 1
Fn
Get Time type = Performance Ctr, time = 22313453475 True 1
Fn
Get Time type = Performance Ctr, time = 22445598233 True 1
Fn
Get Time type = Performance Ctr, time = 22492633110 True 1
Fn
Get Time type = Performance Ctr, time = 22556745083 True 1
Fn
Get Time type = Performance Ctr, time = 22622203367 True 1
Fn
Get Time type = Performance Ctr, time = 22697337915 True 1
Fn
Get Time type = Performance Ctr, time = 22810302272 True 1
Fn
Get Info type = Hardware Information True 2
Fn
Mutex (750)
»
Operation Additional Information Success Count Logfile
Open mutex_name = MX-zzbdrimp, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Release mutex_name = MX-zzbdrimp True 749
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Process #22: zzbdrimp5619.exe
2042 0
»
Information Value
ID #22
File Name c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe
Command Line C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:02:13, Reason: Child Process
Unmonitor End Time: 00:02:48, Reason: Self Terminated
Monitor Duration 00:00:34
OS Process Information
»
Information Value
PID 0x9fc
Parent PID 0x4e4 (c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 260
0x 7EC
0x E94
0x 654
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Boot\zh-CN\bootmgr.exe.mui.locked 62.49 KB MD5: e66767a71a7a195040ec5c09055937ee
SHA1: c5ca7f32dc9887a7c29cc26613b471587b611644
SHA256: 24b465fe8f2dcf62fdbb9656f2ca40173d811d27719bb17d7db5fd060f07cb20
SSDeep: 1536:1lv49pNGOaTXeYh8UYZtBEKQ/tVt9tNS2kgmNrbHL8H:v4H8XzqUOtBwlV7tNSDNrbHLi 		False
...
C:\Logs\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx.locked 68.14 KB MD5: 92afa29f6e82dcf22e65dadaaa9cfa9c
SHA1: a5d0d70a24043839f822f5f84be7d495855fa6e1
SHA256: f1c435e27f1228b35fdf771d46d98763a566fd1a990acf3c7bab9f29e8e7c75d
SSDeep: 1536:iMRaxDf0GX90ErXWeNNLYdkMn6I7N7tBfpzZCw2QNxbSd:bADffXeANLBM6I7tLpZxTpm 		False
...
C:\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx.locked 68.14 KB MD5: 04ca6d276b688a971b5766fbbeaaa87c
SHA1: 792beaf701546d07cb3c8d421a3b5c01266e29b9
SHA256: 3f248412de7a170f7fc859ba62971eb82c51f2a0a1127c66571bc530baa94126
SSDeep: 1536:fhiC9Q7K2ca4K6R1Ib8cvn3A6ygJrSEfujsz72:g5M7ivn3JyOLmg72 		False
...
C:\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx.locked 68.14 KB MD5: ec64d0c3b2a615fc71e43ccb9182fa2e
SHA1: 96019a2d178450f6e1e8330a10acfd92c9b77e10
SHA256: f1ea8c671ef4a7bbbba4c824f244c9cf71253e61ebaeb012121cb4b2cd6cd1c8
SSDeep: 1536:fEkqfyS3GPKr5100LGV3rrGY6KNntSKKvV4ShdE1Q3YBV:f7qqS34KD00LS3rSSS94SLoQ3YBV 		False
...
C:\Boot\ja-JP\bootmgr.exe.mui.locked 65.99 KB MD5: 66234c3586a68df708657534cb9b341a
SHA1: 801925dbbe27b21ffd9fc0789a9b3106af12533e
SHA256: 96642b562b0671a65df0d42ff9386596e2f012a6cb388e1c1163234a1c2782ad
SSDeep: 1536:LXg9gfkwNbJMS1X30jbE7u0AY5flgWHisVM5AnV82divGFj:j/xbJp0Q7tAYNlg4HM5AViOFj 		False
...
C:\Boot\qps-ploc\memtest.exe.mui.locked 53.04 KB MD5: bfb49cba7c6113c28e32a6c5b8b811a7
SHA1: 81742574201b22ef95202459ff3ebb7b74d20d98
SHA256: 4661cf83e358f11d26fbb85c99e166adecab38f80084252bc8ff8cec10165d79
SSDeep: 1536:/vg5ZtUAZms8dZ5eVovDKQBPxjjPhQmqaa:3uZtzMs+OoLKQBPxh36 		False
...
C:\Boot\pt-PT\memtest.exe.mui.locked 45.05 KB MD5: 962023c97fb24539eb2f087c4ff283ad
SHA1: b60c738e3ed2154c0466b69507bc542360632316
SHA256: 885f329ab0d9b46404ac4233375d12aa7f11c64da3acdf0e2a69308071a693b4
SSDeep: 768:+mvYyGueyNYCNZDYArnq+ZfRocByiDEi3dftlagUFo0UzgFzh:iueyaCNZ1rnl1vByiDEi3d4emFh 		False
...
C:\Boot\it-IT\memtest.exe.mui.locked 44.55 KB MD5: 167f41cc74968a2c0ff174982b739029
SHA1: 148d53344402fa809dafe3c12fc4decbeec95c1b
SHA256: 90cdd1ddba3b11ffeb36f15d219a65aeea81ab3f6fdeec73969d001be87ba63b
SSDeep: 768:YmYndhTcDM9B98JUIgFCABs4mFCSOqCXlKcp2n9eB721Eg7ZgE:YmYndN+MKUIgFCA4CLqCVJQnoBYbZgE 		False
...
C:\Boot\fi-FI\memtest.exe.mui.locked 44.55 KB MD5: ad7fe88d1e941398d7ae24a8556490c2
SHA1: b1e687eeb9b280d5a0d6349f45b22eb13a40392c
SHA256: cc4dc4354404cfb1c1ccef81d5edb54be8712f9eec61374163113c210d80cb85
SSDeep: 768:rK94J72HG4cMJ+Zczq25mLMYq1CG4R4UEN6r7CRAqnQG+lKQDy7WLX9kEZCndZ0k:rYKXMJrtDJxUK02mqnUlXD6WLnCd6P8 		False
...
C:\Boot\sv-SE\memtest.exe.mui.locked 44.04 KB MD5: 2a600dc2c08419c5689a5bc8ee61e045
SHA1: 18d45dd8a432e11dba534c89d6fc30a4df7d1ff8
SHA256: d7212347c8a96c3212358d6d314f045818a1bb68d2532cdba019d8643ef2d7a8
SSDeep: 768:9CySwqli+TnQbK2zAUXV0ZDp7txehJZBMH/JXS/aWiFEpuG54xEKdD7w2:fSikQbfbKZxtgZSH/JXFLguGiqKt7w2 		False
...
C:\Boot\ja-JP\memtest.exe.mui.locked 42.04 KB MD5: 9f0c21bb95782be9c22c9093e3364389
SHA1: 89f6f92004e42cf5c2a825c5c4e60508a825afd5
SHA256: 84be4037ab64af50f3e8f1e32bcc20a16153416b5c5de6d93cd5abc6a93710b6
SSDeep: 768:PiasXBjwLZ7dTKPD80O3FUeRxxVll1n2sgF8RJgiqPL2TwkrGPhiJuJyP:Pia6BMRJfHas7Jkcwkr2J6 		False
...
Host Behavior
File (111)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Logs\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx.locked type = file_attributes False 1
Fn
Get Info C:\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx.locked type = file_attributes False 1
Fn
Get Info C:\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx.locked type = file_attributes False 1
Fn
Get Info C:\Boot\ja-JP\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\ja-JP\bootmgr.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\Boot\zh-CN\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\zh-CN\bootmgr.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\Boot\qps-ploc\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\qps-ploc\memtest.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\Boot\pt-PT\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\pt-PT\memtest.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\Boot\it-IT\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\it-IT\memtest.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\Boot\fi-FI\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\fi-FI\memtest.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\Boot\sv-SE\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\sv-SE\memtest.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\Boot\ja-JP\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\ja-JP\memtest.exe.mui.locked type = file_attributes False 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Open \??\\C:\Logs\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\ja-JP\bootmgr.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\zh-CN\bootmgr.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\qps-ploc\memtest.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\pt-PT\memtest.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\it-IT\memtest.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\fi-FI\memtest.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\sv-SE\memtest.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\ja-JP\memtest.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open Mapping SM-zzbdrimp desired_access = FILE_MAP_COPY, FILE_MAP_WRITE True 1
Fn
Move C:\Logs\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx.locked source_filename = C:\Logs\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx.locked source_filename = C:\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx.locked source_filename = C:\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\ja-JP\bootmgr.exe.mui.locked source_filename = C:\Boot\ja-JP\bootmgr.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\zh-CN\bootmgr.exe.mui.locked source_filename = C:\Boot\zh-CN\bootmgr.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\qps-ploc\memtest.exe.mui.locked source_filename = C:\Boot\qps-ploc\memtest.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\pt-PT\memtest.exe.mui.locked source_filename = C:\Boot\pt-PT\memtest.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\it-IT\memtest.exe.mui.locked source_filename = C:\Boot\it-IT\memtest.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\fi-FI\memtest.exe.mui.locked source_filename = C:\Boot\fi-FI\memtest.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\sv-SE\memtest.exe.mui.locked source_filename = C:\Boot\sv-SE\memtest.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\ja-JP\memtest.exe.mui.locked source_filename = C:\Boot\ja-JP\memtest.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Read \??\\C:\Logs\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx.locked size = 4096, size_out = 4096 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx.locked size = 4096, size_out = 4096 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx.locked size = 4096, size_out = 4096 True 1
Fn
Data
Read \??\\C:\Boot\ja-JP\bootmgr.exe.mui.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Boot\ja-JP\bootmgr.exe.mui.locked size = 1888, size_out = 1888 True 1
Fn
Data
Read \??\\C:\Boot\zh-CN\bootmgr.exe.mui.locked size = 63840, size_out = 63840 True 1
Fn
Data
Read \??\\C:\Boot\qps-ploc\memtest.exe.mui.locked size = 54168, size_out = 54168 True 1
Fn
Data
Read \??\\C:\Boot\pt-PT\memtest.exe.mui.locked size = 45984, size_out = 45984 True 1
Fn
Data
Read \??\\C:\Boot\it-IT\memtest.exe.mui.locked size = 45472, size_out = 45472 True 1
Fn
Data
Read \??\\C:\Boot\fi-FI\memtest.exe.mui.locked size = 45472, size_out = 45472 True 1
Fn
Data
Read \??\\C:\Boot\sv-SE\memtest.exe.mui.locked size = 44952, size_out = 44952 True 1
Fn
Data
Read \??\\C:\Boot\ja-JP\memtest.exe.mui.locked size = 42904, size_out = 42904 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx.locked offset = 65536, size = 4100 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx.locked size = 144 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx.locked offset = 65536, size = 4100 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx.locked size = 144 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx.locked offset = 65536, size = 4100 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\ja-JP\bootmgr.exe.mui.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\ja-JP\bootmgr.exe.mui.locked offset = 65536, size = 1892 True 1
Fn
Data
Write \??\\C:\Boot\ja-JP\bootmgr.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\zh-CN\bootmgr.exe.mui.locked offset = 0, size = 63844 True 1
Fn
Data
Write \??\\C:\Boot\zh-CN\bootmgr.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\qps-ploc\memtest.exe.mui.locked offset = 0, size = 54172 True 1
Fn
Data
Write \??\\C:\Boot\qps-ploc\memtest.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\pt-PT\memtest.exe.mui.locked offset = 0, size = 45988 True 1
Fn
Data
Write \??\\C:\Boot\pt-PT\memtest.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\it-IT\memtest.exe.mui.locked offset = 0, size = 45476 True 1
Fn
Data
Write \??\\C:\Boot\it-IT\memtest.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\fi-FI\memtest.exe.mui.locked offset = 0, size = 45476 True 1
Fn
Data
Write \??\\C:\Boot\fi-FI\memtest.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\sv-SE\memtest.exe.mui.locked offset = 0, size = 44956 True 1
Fn
Data
Write \??\\C:\Boot\sv-SE\memtest.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\ja-JP\memtest.exe.mui.locked offset = 0, size = 42908 True 1
Fn
Data
Write \??\\C:\Boot\ja-JP\memtest.exe.mui.locked size = 144 True 1
Fn
Data
Module (77)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load Rstrtmgr.dll base_address = 0x744f0000 True 1
Fn
Load ntdll.dll base_address = 0x77bb0000 True 1
Fn
Load api-ms-win-core-sysinfo-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75e90000 True 3
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77bb0000 True 1
Fn
Get Handle c:\users\fd1hvy\appdata\local\temp\zzbdr base_address = 0x11a0000 True 2
Fn
Get Filename - process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, file_name_orig = C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsAlloc, address_out = 0x74f9bea0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsSetValue, address_out = 0x74f92550 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = InitializeCriticalSectionEx, address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsGetValue, address_out = 0x74f870c0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f7ed00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75ea4ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75ea4b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75ea4b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75ea4b40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75efebc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitOnceExecuteOnce, address_out = 0x74f95550 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x75efeb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x75efeb90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x75efeb80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75ea6d30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x77bfd7c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x77bfb740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75ea6d70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x77bfc0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x77bfbe10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77c22b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77c152f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x75ea4510 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x74f9e260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75ea0db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleEx, address_out = 0x75ea43d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandle, address_out = 0x75eff110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x75eff1e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeConditionVariable, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WakeConditionVariable, address_out = 0x77c88c50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll address_out = 0x77c18a90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableCS, address_out = 0x7500fca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSRWLock, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AcquireSRWLockExclusive, address_out = 0x77bf58e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TryAcquireSRWLockExclusive, address_out = 0x77c72ce0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseSRWLockExclusive, address_out = 0x77bf83a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableSRW, address_out = 0x7500fcf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWork, address_out = 0x75ea6db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SubmitThreadpoolWork, address_out = 0x77bfeb00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWork, address_out = 0x77bfed50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x75ea7050 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x75ea7190 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x75ea7480 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateHardLinkW, address_out = 0x75ea44f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySection, address_out = 0x77c22220 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmStartSession, address_out = 0x744f7930 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmRegisterResources, address_out = 0x744f7660 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmGetList, address_out = 0x744f74f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtOpenFile, address_out = 0x77c22040 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtClose, address_out = 0x77c21de0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtReadFile, address_out = 0x77c21d50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtWriteFile, address_out = 0x77c21d70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitUnicodeString, address_out = 0x77c242f0 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x74f6b830 True 1
Fn
Map SM-zzbdrimp process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, desired_access = FILE_MAP_WRITE True 1
Fn
User (5)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
Lookup Privilege privilege = SeRestorePrivilege, luid = 18 True 1
Fn
Lookup Privilege privilege = SeLockMemoryPrivilege, luid = 4 True 1
Fn
Lookup Privilege privilege = SeCreateGlobalPrivilege, luid = 30 True 1
Fn
System (47)
»
Operation Additional Information Success Count Logfile
Get Time type = Performance Ctr, time = 22624945851 True 1
Fn
Get Time type = Performance Ctr, time = 22776403877 True 1
Fn
Get Time type = System Time True 22
Fn
Get Time type = Performance Ctr, time = 22832736710 True 1
Fn
Get Time type = Performance Ctr, time = 22855558243 True 1
Fn
Get Time type = Performance Ctr, time = 22896234576 True 1
Fn
Get Time type = Performance Ctr, time = 22998343048 True 1
Fn
Get Time type = Performance Ctr, time = 23134298164 True 1
Fn
Get Time type = Performance Ctr, time = 23215435555 True 1
Fn
Get Time type = Performance Ctr, time = 23287471689 True 1
Fn
Get Time type = Performance Ctr, time = 24673391764 True 1
Fn
Get Time type = Performance Ctr, time = 24696435237 True 1
Fn
Get Time type = Performance Ctr, time = 24832416677 True 1
Fn
Get Time type = Performance Ctr, time = 24847552128 True 1
Fn
Get Time type = Performance Ctr, time = 25058149432 True 1
Fn
Get Time type = Performance Ctr, time = 25079730069 True 1
Fn
Get Time type = Performance Ctr, time = 25237237217 True 1
Fn
Get Time type = Performance Ctr, time = 25254525083 True 1
Fn
Get Time type = Performance Ctr, time = 25382139032 True 1
Fn
Get Time type = Performance Ctr, time = 25416127222 True 1
Fn
Get Time type = Performance Ctr, time = 25558149085 True 1
Fn
Get Time type = Performance Ctr, time = 25573650470 True 1
Fn
Get Time type = Performance Ctr, time = 25788144887 True 1
Fn
Get Time type = Performance Ctr, time = 25800188741 True 1
Fn
Get Info type = Hardware Information True 2
Fn
Mutex (1770)
»
Operation Additional Information Success Count Logfile
Open mutex_name = MX-zzbdrimp, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Release mutex_name = MX-zzbdrimp True 1769
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Debug (11)
»
Operation Process Additional Information Success Count Logfile
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Logs\Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\ja-JP\bootmgr.exe.mui True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\zh-CN\bootmgr.exe.mui True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\qps-ploc\memtest.exe.mui True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\pt-PT\memtest.exe.mui True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\it-IT\memtest.exe.mui True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\fi-FI\memtest.exe.mui True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\sv-SE\memtest.exe.mui True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\ja-JP\memtest.exe.mui True 1
Fn
Process #23: zzbdrimp5619.exe
2298 0
»
Information Value
ID #23
File Name c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe
Command Line C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:02:15, Reason: Child Process
Unmonitor End Time: 00:02:48, Reason: Self Terminated
Monitor Duration 00:00:32
OS Process Information
»
Information Value
PID 0xd6c
Parent PID 0x4e4 (c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F68
0x FA8
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx.locked 68.14 KB MD5: 5bd7b65603e116b007517207d1ed0535
SHA1: 1e3dae5c5606ea58a79634520c68afac0139fe0e
SHA256: 9b96ee4e2a5899552e950501e013aad5177e413e22ebdb9efb90e3c76a3e2b66
SSDeep: 1536:d09gvFsC7K7WSnEIoYyBv4xYWX1zGKUmM6:d09gvFsC27VDKAxnFfn 		False
...
C:\Logs\Microsoft-Windows-UserPnp%4DeviceInstall.evtx.locked 68.14 KB MD5: 6fac8aaedf67f1762e35d67338ec50cf
SHA1: a6bfc81a641c2ceebd5b8ab36c272e4011df63a1
SHA256: a5dafe0a09466ba9bf16088d0baa1fe9d2783902f3e9756e5d468f32d238d92a
SSDeep: 1536:9jmkFICRpLByVzeOv2XeeSzVAckohL8L2Q1vMo5sJ:tmuhyVh7eSzeckVLFEoOJ 		False
...
C:\Logs\Microsoft-Windows-UserPnp%4ActionCenter.evtx.locked 68.14 KB MD5: f697af0c4cad0f5adb04370f3b83bb99
SHA1: b956112733206266d4cf95c28be35ff513896a05
SHA256: 6577449cfb8e327064d27b8339db6c6dc4498cf51bf374f7941b41570694af20
SSDeep: 1536:KHsS1YbO0oGldHGw5xNzfRkbQUafn6nreAmBxViGRxLOsS:YZubQOlBkk/n6nyAmzjL3S 		False
...
C:\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx.locked 68.14 KB MD5: 79086a82908bf6c936c1048a34b7851c
SHA1: 8a8834fb058f217be722523e0c21f8a7356c51c0
SHA256: 8cd52ab01198792be1089468d554d694f622b6017899ca95334bedecfd84ff7d
SSDeep: 1536:PsQ8vKYew5t7y1IKc5EVPstKcq3Q8Pdpb:PaNeM7y1Ir5IstKcqL 		False
...
C:\Boot\BOOTSTAT.DAT.locked 64.14 KB MD5: 38d2538dfaaa40bd8526118efcfa4b55
SHA1: 72cd278be013d34f01b6c3b089dc0e294480235a
SHA256: e3fc3ff68cd19283436382cb2dda5cfd905a0440d49128d90bad87571ad8d25e
SSDeep: 1536:qPnGZKWlcKA87ESTpUI3H7rAob31hHeAw78Q1TfyxPw8eem/0:WnGZplc787UAhL1gZ78Q1TfyhFPm/0 		False
...
C:\Boot\zh-HK\bootmgr.exe.mui.locked 62.48 KB MD5: 5615779a3cbb90c4ea740af18dcd0ee5
SHA1: 741c2fc6fb2499122eafd820c0c7aa28ef842947
SHA256: eacf27dedbdde7b392f9e0d0301ad26b7c5db31ad119370994709a956f331ad6
SSDeep: 1536:zehqulAHlzFT9GMaN/R3N1KGAOVx0J+Lg0h7JbDQzXAgnqg:zjuCHfMhN/9nKF0hNb6XAQ 		False
...
C:\Boot\fr-FR\memtest.exe.mui.locked 45.05 KB MD5: 4d3c0e2a09690aba079e8fe9e2320006
SHA1: ebee09c4407b39889861313d8f38be32adb90a3c
SHA256: 8ce8e1ca83fd4af5770501d3b279cf487c7f8fbb9c245079e00e9c8da06d227e
SSDeep: 768:/wYS5uL40ghkRHEnkYmZJt8hUadDT5iFe68kJUtP6AJvxz8mRFY9xmFpE8LZ25pg:Ip5uL40gmRHEkJZoKaJkJUF6AxhhR+9a 		False
...
C:\Boot\de-DE\memtest.exe.mui.locked 45.05 KB MD5: f1704e0abff0c8f25b9dad2c783c4924
SHA1: 7335870c0ff8bed523d93ee4679757f6b27d68fe
SHA256: 5443edf6bfd7e2ee8e96cd6721900f81146d9b8577a24535c888be01c99f7390
SSDeep: 768:N7zJnse8xR68XqzLm39xCcPhU7BHFwa5oJazGWV5/sMbstODdUNxeBVBFTy:7seUXsQoj7BHFNeJazzVPbcODGNxerBs 		False
...
C:\Boot\nb-NO\memtest.exe.mui.locked 44.55 KB MD5: bc65baea2ad2b0d7ec6d51d13633394a
SHA1: 2c9c479330bfac0ec9762a7b1d8212429bdac1aa
SHA256: 02e3b5e5d59bea4b2007936b61e3f807e9c8a574b7f1369917e636b29e3c8869
SSDeep: 768:Vx/KJnwHN688i9p3cq1nP0kdLWBq1bj6mSJmA0lgPRvwK2FpXacXK3GSpFEh08Ib:VxZbf8+LnitTrPlwK2yc+GSpWh0jEy1z 		False
...
C:\Boot\sr-Latn-CS\memtest.exe.mui.locked 43.98 KB MD5: 9dfbdf694045589753712e08b24c031d
SHA1: 1d8288897cbb85d6f30b23191a793c61faf49bd8
SHA256: 4d10e86cbbd9910685b766680ac0574755a6c8fd1ced70f218ac043fd093cfdc
SSDeep: 768:VKXIMBBQMwdZ33qMnJWfCEYZWoIXZX6KL2SXN25k2njJgJqvXAdpQ6PgW6P0wy0f:IrBiMwdZKMn8fCEYaZX6S585k2VAqvXN 		False
...
C:\$GetCurrent\Logs\downlevel_2017_09_07_02_02_39_766.log.locked 41.82 KB MD5: 4c20af57b2e5cc35965164b63303aa6b
SHA1: 7b185028cbc1780f159442a3aea3400deb49e885
SHA256: 2bd1c5311062cfee83eea4f4d2fad02e6ffc9f1c6fd5e9f0f3486f28dfc4f40c
SSDeep: 768:gj24PdO1Ap71txzeSZ6rDPlVAQIQASpKxlpuDq2xhZawUesT:gj2Ko1y71Xzt6PA+ASpulp0PZawUesT 		False
...
Host Behavior
File (111)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Logs\Microsoft-Windows-UserPnp%4DeviceInstall.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-UserPnp%4DeviceInstall.evtx.locked type = file_attributes False 1
Fn
Get Info C:\Logs\Microsoft-Windows-UserPnp%4ActionCenter.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-UserPnp%4ActionCenter.evtx.locked type = file_attributes False 1
Fn
Get Info C:\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx.locked type = file_attributes False 1
Fn
Get Info C:\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx.locked type = file_attributes False 1
Fn
Get Info C:\Boot\BOOTSTAT.DAT type = file_attributes True 3
Fn
Get Info C:\Boot\BOOTSTAT.DAT.locked type = file_attributes False 1
Fn
Get Info C:\Boot\zh-HK\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\zh-HK\bootmgr.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\Boot\fr-FR\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\fr-FR\memtest.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\Boot\de-DE\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\de-DE\memtest.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\Boot\nb-NO\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\nb-NO\memtest.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\Boot\sr-Latn-CS\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\sr-Latn-CS\memtest.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\$GetCurrent\Logs\downlevel_2017_09_07_02_02_39_766.log type = file_attributes True 3
Fn
Get Info C:\$GetCurrent\Logs\downlevel_2017_09_07_02_02_39_766.log.locked type = file_attributes False 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Open \??\\C:\Logs\Microsoft-Windows-UserPnp%4DeviceInstall.evtx.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Logs\Microsoft-Windows-UserPnp%4ActionCenter.evtx.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\BOOTSTAT.DAT.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\zh-HK\bootmgr.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\fr-FR\memtest.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\de-DE\memtest.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\nb-NO\memtest.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\sr-Latn-CS\memtest.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\$GetCurrent\Logs\downlevel_2017_09_07_02_02_39_766.log.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open Mapping SM-zzbdrimp desired_access = FILE_MAP_COPY, FILE_MAP_WRITE True 1
Fn
Move C:\Logs\Microsoft-Windows-UserPnp%4DeviceInstall.evtx.locked source_filename = C:\Logs\Microsoft-Windows-UserPnp%4DeviceInstall.evtx, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Logs\Microsoft-Windows-UserPnp%4ActionCenter.evtx.locked source_filename = C:\Logs\Microsoft-Windows-UserPnp%4ActionCenter.evtx, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx.locked source_filename = C:\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx.locked source_filename = C:\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\BOOTSTAT.DAT.locked source_filename = C:\Boot\BOOTSTAT.DAT, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\zh-HK\bootmgr.exe.mui.locked source_filename = C:\Boot\zh-HK\bootmgr.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\fr-FR\memtest.exe.mui.locked source_filename = C:\Boot\fr-FR\memtest.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\de-DE\memtest.exe.mui.locked source_filename = C:\Boot\de-DE\memtest.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\nb-NO\memtest.exe.mui.locked source_filename = C:\Boot\nb-NO\memtest.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\sr-Latn-CS\memtest.exe.mui.locked source_filename = C:\Boot\sr-Latn-CS\memtest.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\$GetCurrent\Logs\downlevel_2017_09_07_02_02_39_766.log.locked source_filename = C:\$GetCurrent\Logs\downlevel_2017_09_07_02_02_39_766.log, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Read \??\\C:\Logs\Microsoft-Windows-UserPnp%4DeviceInstall.evtx.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-UserPnp%4DeviceInstall.evtx.locked size = 4096, size_out = 4096 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-UserPnp%4ActionCenter.evtx.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-UserPnp%4ActionCenter.evtx.locked size = 4096, size_out = 4096 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx.locked size = 4096, size_out = 4096 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx.locked size = 4096, size_out = 4096 True 1
Fn
Data
Read \??\\C:\Boot\BOOTSTAT.DAT.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Boot\zh-HK\bootmgr.exe.mui.locked size = 63832, size_out = 63832 True 1
Fn
Data
Read \??\\C:\Boot\fr-FR\memtest.exe.mui.locked size = 45984, size_out = 45984 True 1
Fn
Data
Read \??\\C:\Boot\de-DE\memtest.exe.mui.locked size = 45984, size_out = 45984 True 1
Fn
Data
Read \??\\C:\Boot\nb-NO\memtest.exe.mui.locked size = 45472, size_out = 45472 True 1
Fn
Data
Read \??\\C:\Boot\sr-Latn-CS\memtest.exe.mui.locked size = 44888, size_out = 44888 True 1
Fn
Data
Read \??\\C:\$GetCurrent\Logs\downlevel_2017_09_07_02_02_39_766.log.locked size = 42674, size_out = 42674 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-UserPnp%4DeviceInstall.evtx.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-UserPnp%4DeviceInstall.evtx.locked offset = 65536, size = 4100 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-UserPnp%4DeviceInstall.evtx.locked size = 144 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-UserPnp%4ActionCenter.evtx.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-UserPnp%4ActionCenter.evtx.locked offset = 65536, size = 4100 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-UserPnp%4ActionCenter.evtx.locked size = 144 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx.locked offset = 65536, size = 4100 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx.locked size = 144 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx.locked offset = 65536, size = 4100 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\BOOTSTAT.DAT.locked offset = 0, size = 65540 True 1
Fn
Data
Write \??\\C:\Boot\BOOTSTAT.DAT.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\zh-HK\bootmgr.exe.mui.locked offset = 0, size = 63836 True 1
Fn
Data
Write \??\\C:\Boot\zh-HK\bootmgr.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\fr-FR\memtest.exe.mui.locked offset = 0, size = 45988 True 1
Fn
Data
Write \??\\C:\Boot\fr-FR\memtest.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\de-DE\memtest.exe.mui.locked offset = 0, size = 45988 True 1
Fn
Data
Write \??\\C:\Boot\de-DE\memtest.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\nb-NO\memtest.exe.mui.locked offset = 0, size = 45476 True 1
Fn
Data
Write \??\\C:\Boot\nb-NO\memtest.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\sr-Latn-CS\memtest.exe.mui.locked offset = 0, size = 44892 True 1
Fn
Data
Write \??\\C:\Boot\sr-Latn-CS\memtest.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\$GetCurrent\Logs\downlevel_2017_09_07_02_02_39_766.log.locked offset = 0, size = 42678 True 1
Fn
Data
Write \??\\C:\$GetCurrent\Logs\downlevel_2017_09_07_02_02_39_766.log.locked size = 144 True 1
Fn
Data
Module (77)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load Rstrtmgr.dll base_address = 0x744f0000 True 1
Fn
Load ntdll.dll base_address = 0x77bb0000 True 1
Fn
Load api-ms-win-core-sysinfo-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75e90000 True 3
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77bb0000 True 1
Fn
Get Handle c:\users\fd1hvy\appdata\local\temp\zzbdr base_address = 0x11a0000 True 2
Fn
Get Filename - process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, file_name_orig = C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsAlloc, address_out = 0x74f9bea0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsSetValue, address_out = 0x74f92550 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = InitializeCriticalSectionEx, address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsGetValue, address_out = 0x74f870c0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f7ed00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75ea4ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75ea4b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75ea4b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75ea4b40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75efebc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitOnceExecuteOnce, address_out = 0x74f95550 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x75efeb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x75efeb90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x75efeb80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75ea6d30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x77bfd7c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x77bfb740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75ea6d70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x77bfc0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x77bfbe10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77c22b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77c152f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x75ea4510 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x74f9e260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75ea0db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleEx, address_out = 0x75ea43d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandle, address_out = 0x75eff110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x75eff1e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeConditionVariable, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WakeConditionVariable, address_out = 0x77c88c50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll address_out = 0x77c18a90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableCS, address_out = 0x7500fca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSRWLock, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AcquireSRWLockExclusive, address_out = 0x77bf58e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TryAcquireSRWLockExclusive, address_out = 0x77c72ce0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseSRWLockExclusive, address_out = 0x77bf83a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableSRW, address_out = 0x7500fcf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWork, address_out = 0x75ea6db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SubmitThreadpoolWork, address_out = 0x77bfeb00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWork, address_out = 0x77bfed50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x75ea7050 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x75ea7190 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x75ea7480 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateHardLinkW, address_out = 0x75ea44f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySection, address_out = 0x77c22220 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmStartSession, address_out = 0x744f7930 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmRegisterResources, address_out = 0x744f7660 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmGetList, address_out = 0x744f74f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtOpenFile, address_out = 0x77c22040 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtClose, address_out = 0x77c21de0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtReadFile, address_out = 0x77c21d50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtWriteFile, address_out = 0x77c21d70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitUnicodeString, address_out = 0x77c242f0 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x74f6b830 True 1
Fn
Map SM-zzbdrimp process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, desired_access = FILE_MAP_WRITE True 1
Fn
User (5)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
Lookup Privilege privilege = SeRestorePrivilege, luid = 18 True 1
Fn
Lookup Privilege privilege = SeLockMemoryPrivilege, luid = 4 True 1
Fn
Lookup Privilege privilege = SeCreateGlobalPrivilege, luid = 30 True 1
Fn
System (47)
»
Operation Additional Information Success Count Logfile
Get Time type = Performance Ctr, time = 22823585959 True 1
Fn
Get Time type = Performance Ctr, time = 22918432374 True 1
Fn
Get Time type = System Time True 22
Fn
Get Time type = Performance Ctr, time = 22927116310 True 1
Fn
Get Time type = Performance Ctr, time = 23006910990 True 1
Fn
Get Time type = Performance Ctr, time = 23065771744 True 1
Fn
Get Time type = Performance Ctr, time = 23098663371 True 1
Fn
Get Time type = Performance Ctr, time = 23118627010 True 1
Fn
Get Time type = Performance Ctr, time = 23176282605 True 1
Fn
Get Time type = Performance Ctr, time = 23263766403 True 1
Fn
Get Time type = Performance Ctr, time = 24579332986 True 1
Fn
Get Time type = Performance Ctr, time = 24597180776 True 1
Fn
Get Time type = Performance Ctr, time = 24694140293 True 1
Fn
Get Time type = Performance Ctr, time = 24710680309 True 1
Fn
Get Time type = Performance Ctr, time = 24849943456 True 1
Fn
Get Time type = Performance Ctr, time = 24869442893 True 1
Fn
Get Time type = Performance Ctr, time = 25065710872 True 1
Fn
Get Time type = Performance Ctr, time = 25086140290 True 1
Fn
Get Time type = Performance Ctr, time = 25403980503 True 1
Fn
Get Time type = Performance Ctr, time = 25432755629 True 1
Fn
Get Time type = Performance Ctr, time = 25560634644 True 1
Fn
Get Time type = Performance Ctr, time = 25578144747 True 1
Fn
Get Time type = Performance Ctr, time = 25769898948 True 1
Fn
Get Time type = Performance Ctr, time = 25773756897 True 1
Fn
Get Info type = Hardware Information True 2
Fn
Mutex (2026)
»
Operation Additional Information Success Count Logfile
Open mutex_name = MX-zzbdrimp, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Release mutex_name = MX-zzbdrimp True 2025
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Debug (11)
»
Operation Process Additional Information Success Count Logfile
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Logs\Microsoft-Windows-UserPnp%4DeviceInstall.evtx True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Logs\Microsoft-Windows-UserPnp%4ActionCenter.evtx True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Admin.evtx True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\BOOTSTAT.DAT True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\zh-HK\bootmgr.exe.mui True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\fr-FR\memtest.exe.mui True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\de-DE\memtest.exe.mui True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\nb-NO\memtest.exe.mui True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\sr-Latn-CS\memtest.exe.mui True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\$GetCurrent\Logs\downlevel_2017_09_07_02_02_39_766.log True 1
Fn
Process #24: zzbdrimp5619.exe
1489 0
»
Information Value
ID #24
File Name c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe
Command Line C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:02:17, Reason: Child Process
Unmonitor End Time: 00:03:06, Reason: Self Terminated
Monitor Duration 00:00:49
OS Process Information
»
Information Value
PID 0xdac
Parent PID 0x4e4 (c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x EC4
0x E64
0x B6C
0x 83C
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Logs\Microsoft-Windows-TWinUI%4Operational.evtx.locked 68.14 KB MD5: 23b35c5734b3fbb35a7d8eed588ab2ed
SHA1: bfe3533a59b7ae33df608a3c7451bcfbf8990bfa
SHA256: 2a0ccdf805bf177af198df014ff3d7df52c15231287d050f4fd97e39b2a33f9a
SSDeep: 1536:b8oc83ipDPUBU6kGSd28dxCzuvwDHP4cyaV/ABDCC:bV3i9PqHkGCrbCivWW 		False
...
C:\Boot\ko-KR\bootmgr.exe.mui.locked 65.49 KB MD5: f2baf94e7368a751332cbfed867baf19
SHA1: b0fc4b511b7419c2f2c125b5be13caed44d063cb
SHA256: 89907c1b69d08de0dd72231235d512b48069d7d7a46f0e3f6890b5ab68a6738d
SSDeep: 768:sUS69+/pUmgiJ4Jg++rPx8/q3v0mTB1jbIQKFUfLl7oMyhp5jHxNXNMTJ11XHJ+C:sZFgiJ4O+r/BqBVbSWfG3lN+hHJa+OaV 		False
...
C:\Boot\el-GR\memtest.exe.mui.locked 45.55 KB MD5: 348d2e3bb16d19750607e5d1605e2635
SHA1: 20fefa37ffc267fa9d25bfdc3eeb2312806e98f0
SHA256: ff4ac21bebb37caee9dd530a271bc8edb84040715ed8e8b53d18da4ab64974d1
SSDeep: 768:xrqeoEtbjxHwDCvjOeFNMmmRiWVAzZIrCi81uNmjn3V1vBweXNON1/YUaFXAWB5W:xmarvieFeNiWSZIk0mj3rvRu1/baFXAX 		False
...
C:\Boot\hu-HU\memtest.exe.mui.locked 45.04 KB MD5: cc252567d508c95050bf4430184cacf2
SHA1: 10507eb6da549c97cf0d6f54fa936e4af5ced98e
SHA256: 1b32fc69207d914857526451ee4a2bf661ffdee3bbb6541d6371d65a5bb813a6
SSDeep: 768:Tmymf36o58nnqL4Nr5uKuvaPCcJg57cnzyy6p9FaM9FC8ZvA6rFVvvuXSkOx54vp:Tfy36o58qhva9e5ud6pHaM3BbVnuX4xQ 		False
...
C:\Boot\zh-CN\memtest.exe.mui.locked 41.55 KB MD5: 30a7f18a4b5ac42375cf01b4b1f2d08f
SHA1: d12d6a6990c20e1c06c3c495fb7b7fd4384e1c0e
SHA256: 68073ed670144e7f3db2e6a5feaf35c7ffbdc6a71f0ddead2655c61e95befd8a
SSDeep: 768:wsA1Sm9QqHOaLeonmDtYNuS/RgqPN2oneqeClQzOceD5G92BugYesH5awJOVykz:wsA1XQqpmB4JbbCSceDk9ntQwJ8z 		False
...
C:\588bce7c90097ed212\SplashScreen.bmp.locked 40.26 KB MD5: d3989d90a9f04f95a5633648e46eefd4
SHA1: 9270c277bc263b137670df836cb8aac99b9d419b
SHA256: 25b42c40e01e59c9f5bd2be0b622dfd441331638ad4cc14abae7ba71b783400e
SSDeep: 768:5kBc2YhXGnhKnL3NTHRqGRCHPyt7bFGSLBIriNEuRi0YmQUolsSoHgQCBxodvwsV:5sYh2nhKLdRqACqt74SLWriN/Q0Ym/oc 		False
...
C:\588bce7c90097ed212\1049\SetupResources.dll.locked 17.98 KB MD5: 65a58d7ee33c091720d31a81dde07e41
SHA1: 74ea6863bcba23d2e985212e98e7346d9eebe746
SHA256: 149a8f1d8b611693dd0d3f0e66655cdefeb5fdbdba699ab51fbd1ad645a5570f
SSDeep: 384:H3O1w4oGTS4aM3LUjs/kxjuYyrsDICkwG96xy4S8Mq2J87:H3O1w4oGTS4FDkcr4AwVxy4rMqw87 		False
...
C:\Boot\cs-CZ\memtest.exe.mui.locked 44.55 KB MD5: fce01a7400cd3bf1a0fbf1998fee1563
SHA1: 9a64b0f01e4fc0d5538538622e5f73a19daad4b5
SHA256: d14335b4a93d580141e6a49949849a80619b227d5db67850150ccefaa262f941
SSDeep: 768:5rYKwmunbaLO4ht8KECbJH5BWPELYzZDU3a2uc2Zh6j6XfU8Sa:OKwfbsv8KcELYzZDUqF/ZXfUO 		False
...
C:\Boot\tr-TR\memtest.exe.mui.locked 44.55 KB MD5: 705e42ff1a409e4fdb19bfca730c5c4d
SHA1: 112d11d19307452742631e92188568764c0e47a0
SHA256: 9b9e7ff56e2d4a4954593bbe1c82266337fa2e5586fde304ea2214d60a779a11
SSDeep: 768:AQVMKnUaRHEXej7ukRJkeGS12ooXgxP4wTGzxHnpMSovLFEkDszn05:ALK3t1jvReCxwnZ2SEDg05 		False
...
Host Behavior
File (85)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Logs\Microsoft-Windows-TWinUI%4Operational.evtx type = file_attributes True 3
Fn
Get Info C:\Logs\Microsoft-Windows-TWinUI%4Operational.evtx.locked type = file_attributes False 1
Fn
Get Info C:\Boot\ko-KR\bootmgr.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\ko-KR\bootmgr.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\Boot\el-GR\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\el-GR\memtest.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\Boot\hu-HU\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\hu-HU\memtest.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\Boot\cs-CZ\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\cs-CZ\memtest.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\Boot\BCD type = file_attributes True 3
Fn
Get Info C:\Boot\BCD.locked type = file_attributes False 1
Fn
Get Info C:\Boot\zh-CN\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\zh-CN\memtest.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\SplashScreen.bmp type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\SplashScreen.bmp.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1049\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1049\SetupResources.dll.locked type = file_attributes False 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Open \??\\C:\Logs\Microsoft-Windows-TWinUI%4Operational.evtx.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\ko-KR\bootmgr.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\el-GR\memtest.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\hu-HU\memtest.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\cs-CZ\memtest.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\zh-CN\memtest.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\SplashScreen.bmp.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1049\SetupResources.dll.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open Mapping SM-zzbdrimp desired_access = FILE_MAP_COPY, FILE_MAP_WRITE True 1
Fn
Move C:\Logs\Microsoft-Windows-TWinUI%4Operational.evtx.locked source_filename = C:\Logs\Microsoft-Windows-TWinUI%4Operational.evtx, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\ko-KR\bootmgr.exe.mui.locked source_filename = C:\Boot\ko-KR\bootmgr.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\el-GR\memtest.exe.mui.locked source_filename = C:\Boot\el-GR\memtest.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\hu-HU\memtest.exe.mui.locked source_filename = C:\Boot\hu-HU\memtest.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\cs-CZ\memtest.exe.mui.locked source_filename = C:\Boot\cs-CZ\memtest.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\tr-TR\memtest.exe.mui.locked source_filename = C:\Boot\tr-TR\memtest.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\BCD.locked source_filename = C:\Boot\BCD, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED False 1
Fn
Move C:\Boot\zh-CN\memtest.exe.mui.locked source_filename = C:\Boot\zh-CN\memtest.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\SplashScreen.bmp.locked source_filename = C:\588bce7c90097ed212\SplashScreen.bmp, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1049\SetupResources.dll.locked source_filename = C:\588bce7c90097ed212\1049\SetupResources.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Read \??\\C:\Logs\Microsoft-Windows-TWinUI%4Operational.evtx.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Logs\Microsoft-Windows-TWinUI%4Operational.evtx.locked size = 4096, size_out = 4096 True 1
Fn
Data
Read \??\\C:\Boot\ko-KR\bootmgr.exe.mui.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Boot\ko-KR\bootmgr.exe.mui.locked size = 1376, size_out = 1376 True 1
Fn
Data
Read \??\\C:\Boot\el-GR\memtest.exe.mui.locked size = 46496, size_out = 46496 True 1
Fn
Data
Read \??\\C:\Boot\hu-HU\memtest.exe.mui.locked size = 45976, size_out = 45976 True 1
Fn
Data
Read \??\\C:\Boot\cs-CZ\memtest.exe.mui.locked size = 45472, size_out = 45472 True 1
Fn
Data
Read \??\\C:\Boot\zh-CN\memtest.exe.mui.locked size = 42400, size_out = 42400 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\SplashScreen.bmp.locked size = 41080, size_out = 41080 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1049\SetupResources.dll.locked size = 18264, size_out = 18264 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-TWinUI%4Operational.evtx.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-TWinUI%4Operational.evtx.locked offset = 65536, size = 4100 True 1
Fn
Data
Write \??\\C:\Logs\Microsoft-Windows-TWinUI%4Operational.evtx.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\ko-KR\bootmgr.exe.mui.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Boot\ko-KR\bootmgr.exe.mui.locked offset = 65536, size = 1380 True 1
Fn
Data
Write \??\\C:\Boot\ko-KR\bootmgr.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\el-GR\memtest.exe.mui.locked offset = 0, size = 46500 True 1
Fn
Data
Write \??\\C:\Boot\el-GR\memtest.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\hu-HU\memtest.exe.mui.locked offset = 0, size = 45980 True 1
Fn
Data
Write \??\\C:\Boot\hu-HU\memtest.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\cs-CZ\memtest.exe.mui.locked offset = 0, size = 45476 True 1
Fn
Data
Write \??\\C:\Boot\zh-CN\memtest.exe.mui.locked offset = 0, size = 42404 True 1
Fn
Data
Write \??\\C:\Boot\zh-CN\memtest.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\SplashScreen.bmp.locked offset = 0, size = 41084 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\SplashScreen.bmp.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1049\SetupResources.dll.locked offset = 0, size = 18268 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1049\SetupResources.dll.locked size = 144 True 1
Fn
Data
Process (1)
»
Operation Process Additional Information Success Count Logfile
Open System desired_access = PROCESS_TERMINATE False 1
Fn
Module (77)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load Rstrtmgr.dll base_address = 0x744f0000 True 1
Fn
Load ntdll.dll base_address = 0x77bb0000 True 1
Fn
Load api-ms-win-core-sysinfo-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75e90000 True 3
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77bb0000 True 1
Fn
Get Handle c:\users\fd1hvy\appdata\local\temp\zzbdr base_address = 0x11a0000 True 2
Fn
Get Filename - process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, file_name_orig = C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsAlloc, address_out = 0x74f9bea0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsSetValue, address_out = 0x74f92550 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = InitializeCriticalSectionEx, address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsGetValue, address_out = 0x74f870c0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f7ed00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75ea4ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75ea4b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75ea4b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75ea4b40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75efebc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitOnceExecuteOnce, address_out = 0x74f95550 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x75efeb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x75efeb90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x75efeb80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75ea6d30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x77bfd7c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x77bfb740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75ea6d70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x77bfc0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x77bfbe10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77c22b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77c152f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x75ea4510 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x74f9e260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75ea0db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleEx, address_out = 0x75ea43d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandle, address_out = 0x75eff110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x75eff1e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeConditionVariable, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WakeConditionVariable, address_out = 0x77c88c50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll address_out = 0x77c18a90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableCS, address_out = 0x7500fca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSRWLock, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AcquireSRWLockExclusive, address_out = 0x77bf58e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TryAcquireSRWLockExclusive, address_out = 0x77c72ce0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseSRWLockExclusive, address_out = 0x77bf83a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableSRW, address_out = 0x7500fcf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWork, address_out = 0x75ea6db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SubmitThreadpoolWork, address_out = 0x77bfeb00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWork, address_out = 0x77bfed50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x75ea7050 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x75ea7190 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x75ea7480 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateHardLinkW, address_out = 0x75ea44f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySection, address_out = 0x77c22220 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmStartSession, address_out = 0x744f7930 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmRegisterResources, address_out = 0x744f7660 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmGetList, address_out = 0x744f74f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtOpenFile, address_out = 0x77c22040 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtClose, address_out = 0x77c21de0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtReadFile, address_out = 0x77c21d50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtWriteFile, address_out = 0x77c21d70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitUnicodeString, address_out = 0x77c242f0 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x74f6b830 True 1
Fn
Map SM-zzbdrimp process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, desired_access = FILE_MAP_WRITE True 1
Fn
User (5)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
Lookup Privilege privilege = SeRestorePrivilege, luid = 18 True 1
Fn
Lookup Privilege privilege = SeLockMemoryPrivilege, luid = 4 True 1
Fn
Lookup Privilege privilege = SeCreateGlobalPrivilege, luid = 30 True 1
Fn
System (41)
»
Operation Additional Information Success Count Logfile
Get Time type = Performance Ctr, time = 22990849216 True 1
Fn
Get Time type = Performance Ctr, time = 23115736422 True 1
Fn
Get Time type = System Time True 19
Fn
Get Time type = Performance Ctr, time = 23155979287 True 1
Fn
Get Time type = Performance Ctr, time = 24643618470 True 1
Fn
Get Time type = Performance Ctr, time = 24661372519 True 1
Fn
Get Time type = Performance Ctr, time = 24882546975 True 1
Fn
Get Time type = Performance Ctr, time = 24899895201 True 1
Fn
Get Time type = Performance Ctr, time = 25010018175 True 1
Fn
Get Time type = Performance Ctr, time = 25035661687 True 1
Fn
Get Time type = Performance Ctr, time = 25073384085 True 1
Fn
Get Time type = Performance Ctr, time = 25091816120 True 1
Fn
Get Time type = Performance Ctr, time = 25365149093 True 1
Fn
Get Time type = Performance Ctr, time = 25625859789 True 1
Fn
Get Time type = Performance Ctr, time = 25905478653 True 1
Fn
Get Time type = Performance Ctr, time = 25926274919 True 1
Fn
Get Time type = Performance Ctr, time = 25992109760 True 1
Fn
Get Time type = Performance Ctr, time = 26015646102 True 1
Fn
Get Time type = Performance Ctr, time = 26194797325 True 1
Fn
Get Time type = Performance Ctr, time = 27623536788 True 1
Fn
Get Time type = Performance Ctr, time = 27641574297 True 1
Fn
Get Info type = Hardware Information True 2
Fn
Mutex (1253)
»
Operation Additional Information Success Count Logfile
Open mutex_name = MX-zzbdrimp, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Release mutex_name = MX-zzbdrimp True 1252
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Debug (8)
»
Operation Process Additional Information Success Count Logfile
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Logs\Microsoft-Windows-TWinUI%4Operational.evtx True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\ko-KR\bootmgr.exe.mui True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\el-GR\memtest.exe.mui True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\hu-HU\memtest.exe.mui True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\cs-CZ\memtest.exe.mui True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\zh-CN\memtest.exe.mui True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\SplashScreen.bmp True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1049\SetupResources.dll True 1
Fn
Process #25: zzbdrimp5619.exe
2350 0
»
Information Value
ID #25
File Name c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe
Command Line C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:02:17, Reason: Child Process
Unmonitor End Time: 00:03:08, Reason: Self Terminated
Monitor Duration 00:00:50
OS Process Information
»
Information Value
PID 0x6ac
Parent PID 0x4e4 (c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FF8
0x 9B0
0x DD8
0x E38
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Boot\es-ES\memtest.exe.mui.locked 45.05 KB MD5: 8a83aad2b28c1f3655810d174786d3a1
SHA1: da7889cb8aaa20f4d8f7307f966219e3dfc0b0c6
SHA256: c7a37f97ec140071dee281e9d5fe4be0a881d833983a37cabd2976cf636a14d6
SSDeep: 768:ZTEdbn5WaqBOcTy75jLRxHbcU+vKS71VfbBffCvs/L24lc4Bs7+Uq1riKP63zc44:+5nLqI75Rx4U+SSZxbBf6k/L24lc7EY8 		False
...
C:\Boot\pl-PL\memtest.exe.mui.locked 45.05 KB MD5: 7847394d0e65496893fede1a941b582f
SHA1: ecab2c00449e84da85df3199f4b0be1e87ccef9a
SHA256: c026df7aeb69184322200b471dbd11511fc84377b14f600b667c152db6a78412
SSDeep: 768:rm7mZ+Sbo/ykAYPuc0Y/ObcZwfid2tJJATXnDhTRD4x4704SB9TNrl6fmcq+5:rRASbo/ykAYPuc/wk7DnDhTRD4C6BNsh 		False
...
C:\Boot\da-DK\memtest.exe.mui.locked 44.55 KB MD5: a9a2f4eeb1d81c0f8940b5d51f7a21dd
SHA1: a6ca3b4faec7f683281cbe4362265e4fe89de103
SHA256: e7ae5e9567abc9947fc501792256bc3beb763978154543ae6e119ec1199c8561
SSDeep: 768:h6Zk81fgMWxejacPoTNXiLQPswZ70eNcaYKCCUBJpl+HWNM56qU6AMSKkP3:h6Zk81ITgjavwgsw+QcaYGUlCWrqWMo/ 		False
...
C:\Boot\pt-BR\memtest.exe.mui.locked 44.55 KB MD5: 5f355ea8e95d660ac7aa5adce59a63e4
SHA1: 33c4461bd32b8e64dbc8bfcf72f845936cc2be3f
SHA256: 37831f357fa594699931c826139ea36c1fbaf49a5fc09e021c8ff388ee47b329
SSDeep: 768:nWRoHYod4IwxieArm/FIUojZwZC6GaYf4U+wY5+7NDClCYSU8uAdgwR:nWR0V3+5otYaaYf+7cUInR 		False
...
C:\Boot\ru-RU\memtest.exe.mui.locked 44.05 KB MD5: eab299592b4a5ceeb4d5a3dd1b51c91d
SHA1: 070e485f89147069a0faeb26b9e0825111eb4af4
SHA256: 4ad254f1a627c6b09f53c843e687d536f5860c0717b4dd0479f4e8ee158cfa86
SSDeep: 768:qEbJkvg1SNdZagfrWrTVIeAMD35SYtxm6oQaxiLVva45hweqz/L+S88Z5NoqCp:bJfqYiWr5TDAK3oQjIOofb8M9Cp 		False
...
C:\Boot\ko-KR\memtest.exe.mui.locked 42.05 KB MD5: d22358bb89cbbda2dde5d20a5a5950d2
SHA1: c0c19ef2c38efdbb068b9616b0d1c47b189bd63c
SHA256: 053e3153b71e462313f292d3fdf5beec1d1d281676a735f734a9c66014583060
SSDeep: 768:Vwp7DRM1dgH8Lev0Z+ZyKfbc++spEY9vdiGLZqPzil48q+teEn84V:Vm7DRM8HbsgQKjtEYm60PmW2hZV 		False
...
C:\Boot\zh-HK\memtest.exe.mui.locked 41.48 KB MD5: 9d837fa361cf1718033ee7a01abe06ae
SHA1: 81e175c1dfdf3f34512e16c657f4f0b77083309b
SHA256: 403d8f779ca308fc94a51788eaa5b28f5e027deb6eac09c0282a621d2538e085
SSDeep: 768:hSiZjMvZ1XsC8WiNKGUNw+hoL75To2Ss+K7bR+FAz+yK29UkiJJ38npYwbCuP+VZ:zZQZF585KGUNToL75TRSsHMFEm2mkSMo 		False
...
C:\588bce7c90097ed212\1040\SetupResources.dll.locked 17.98 KB MD5: 11496dfdddfb5029f124c1371bbd09ca
SHA1: d861902ec7e6c601b416a804139b89b954143795
SHA256: 0afadfcbc1734820862dcd28208e5fa830ba09f7c3678ff1430eebc18db4c0cf
SSDeep: 384:nbKhDB3n+ykgqhCa5rhn5/2SXk3ULiKgtL5d9W9Wbj7v1J+TPkWHdzB0z2mv:nKBuP/rh5/lUYHgtLr9W9qJ6z0z2I 		False
...
C:\588bce7c90097ed212\1030\SetupResources.dll.locked 17.98 KB MD5: 250c427bd750619b1a021823dbad2959
SHA1: 31564f92e7f69ec184a48fb9ab3edd56a86dbd8f
SHA256: 89ef159cd75fae0019d026db45e8ed36702214419b1dcfd0d51a73b18a4f87bc
SSDeep: 384:PHyjkNLUPyqDIkGBG45ObaVyXAMQ/05kyZYc9yrgfTRJsIn:PIkNIyqczG40jXAFu99yrgfTEIn 		False
...
Host Behavior
File (90)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Boot\BCD.LOG type = file_attributes True 3
Fn
Get Info C:\Boot\BCD.LOG.locked type = file_attributes False 1
Fn
Get Info C:\Boot\pl-PL\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\pl-PL\memtest.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\Boot\es-ES\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\es-ES\memtest.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\Boot\da-DK\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\da-DK\memtest.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\Boot\pt-BR\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\pt-BR\memtest.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\Boot\ru-RU\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\ru-RU\memtest.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\Boot\ko-KR\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\ko-KR\memtest.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\Boot\zh-HK\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\zh-HK\memtest.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1040\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1040\SetupResources.dll.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1030\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1030\SetupResources.dll.locked type = file_attributes False 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Open \??\\C:\Boot\pl-PL\memtest.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\es-ES\memtest.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\da-DK\memtest.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\pt-BR\memtest.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\ru-RU\memtest.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\ko-KR\memtest.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\zh-HK\memtest.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1040\SetupResources.dll.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1030\SetupResources.dll.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open Mapping SM-zzbdrimp desired_access = FILE_MAP_COPY, FILE_MAP_WRITE True 1
Fn
Move C:\Boot\BCD.LOG.locked source_filename = C:\Boot\BCD.LOG, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED False 1
Fn
Move C:\Boot\pl-PL\memtest.exe.mui.locked source_filename = C:\Boot\pl-PL\memtest.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\es-ES\memtest.exe.mui.locked source_filename = C:\Boot\es-ES\memtest.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\da-DK\memtest.exe.mui.locked source_filename = C:\Boot\da-DK\memtest.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\pt-BR\memtest.exe.mui.locked source_filename = C:\Boot\pt-BR\memtest.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\ru-RU\memtest.exe.mui.locked source_filename = C:\Boot\ru-RU\memtest.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\ko-KR\memtest.exe.mui.locked source_filename = C:\Boot\ko-KR\memtest.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\zh-HK\memtest.exe.mui.locked source_filename = C:\Boot\zh-HK\memtest.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1040\SetupResources.dll.locked source_filename = C:\588bce7c90097ed212\1040\SetupResources.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1030\SetupResources.dll.locked source_filename = C:\588bce7c90097ed212\1030\SetupResources.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Read \??\\C:\Boot\pl-PL\memtest.exe.mui.locked size = 45984, size_out = 45984 True 1
Fn
Data
Read \??\\C:\Boot\es-ES\memtest.exe.mui.locked size = 45984, size_out = 45984 True 1
Fn
Data
Read \??\\C:\Boot\da-DK\memtest.exe.mui.locked size = 45472, size_out = 45472 True 1
Fn
Data
Read \??\\C:\Boot\pt-BR\memtest.exe.mui.locked size = 45472, size_out = 45472 True 1
Fn
Data
Read \??\\C:\Boot\ru-RU\memtest.exe.mui.locked size = 44960, size_out = 44960 True 1
Fn
Data
Read \??\\C:\Boot\ko-KR\memtest.exe.mui.locked size = 42912, size_out = 42912 True 1
Fn
Data
Read \??\\C:\Boot\zh-HK\memtest.exe.mui.locked size = 42328, size_out = 42328 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1040\SetupResources.dll.locked size = 18264, size_out = 18264 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1030\SetupResources.dll.locked size = 18264, size_out = 18264 True 1
Fn
Data
Write \??\\C:\Boot\pl-PL\memtest.exe.mui.locked offset = 0, size = 45988 True 1
Fn
Data
Write \??\\C:\Boot\pl-PL\memtest.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\es-ES\memtest.exe.mui.locked offset = 0, size = 45988 True 1
Fn
Data
Write \??\\C:\Boot\es-ES\memtest.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\da-DK\memtest.exe.mui.locked offset = 0, size = 45476 True 1
Fn
Data
Write \??\\C:\Boot\da-DK\memtest.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\pt-BR\memtest.exe.mui.locked offset = 0, size = 45476 True 1
Fn
Data
Write \??\\C:\Boot\pt-BR\memtest.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\ru-RU\memtest.exe.mui.locked offset = 0, size = 44964 True 1
Fn
Data
Write \??\\C:\Boot\ru-RU\memtest.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\ko-KR\memtest.exe.mui.locked offset = 0, size = 42916 True 1
Fn
Data
Write \??\\C:\Boot\ko-KR\memtest.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\zh-HK\memtest.exe.mui.locked offset = 0, size = 42332 True 1
Fn
Data
Write \??\\C:\Boot\zh-HK\memtest.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1040\SetupResources.dll.locked offset = 0, size = 18268 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1040\SetupResources.dll.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1030\SetupResources.dll.locked offset = 0, size = 18268 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1030\SetupResources.dll.locked size = 144 True 1
Fn
Data
Process (1)
»
Operation Process Additional Information Success Count Logfile
Open System desired_access = PROCESS_TERMINATE False 1
Fn
Module (77)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load Rstrtmgr.dll base_address = 0x744f0000 True 1
Fn
Load ntdll.dll base_address = 0x77bb0000 True 1
Fn
Load api-ms-win-core-sysinfo-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75e90000 True 3
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77bb0000 True 1
Fn
Get Handle c:\users\fd1hvy\appdata\local\temp\zzbdr base_address = 0x11a0000 True 2
Fn
Get Filename - process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, file_name_orig = C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsAlloc, address_out = 0x74f9bea0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsSetValue, address_out = 0x74f92550 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = InitializeCriticalSectionEx, address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsGetValue, address_out = 0x74f870c0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f7ed00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75ea4ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75ea4b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75ea4b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75ea4b40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75efebc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitOnceExecuteOnce, address_out = 0x74f95550 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x75efeb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x75efeb90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x75efeb80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75ea6d30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x77bfd7c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x77bfb740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75ea6d70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x77bfc0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x77bfbe10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77c22b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77c152f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x75ea4510 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x74f9e260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75ea0db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleEx, address_out = 0x75ea43d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandle, address_out = 0x75eff110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x75eff1e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeConditionVariable, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WakeConditionVariable, address_out = 0x77c88c50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll address_out = 0x77c18a90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableCS, address_out = 0x7500fca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSRWLock, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AcquireSRWLockExclusive, address_out = 0x77bf58e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TryAcquireSRWLockExclusive, address_out = 0x77c72ce0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseSRWLockExclusive, address_out = 0x77bf83a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableSRW, address_out = 0x7500fcf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWork, address_out = 0x75ea6db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SubmitThreadpoolWork, address_out = 0x77bfeb00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWork, address_out = 0x77bfed50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x75ea7050 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x75ea7190 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x75ea7480 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateHardLinkW, address_out = 0x75ea44f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySection, address_out = 0x77c22220 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmStartSession, address_out = 0x744f7930 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmRegisterResources, address_out = 0x744f7660 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmGetList, address_out = 0x744f74f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtOpenFile, address_out = 0x77c22040 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtClose, address_out = 0x77c21de0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtReadFile, address_out = 0x77c21d50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtWriteFile, address_out = 0x77c21d70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitUnicodeString, address_out = 0x77c242f0 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x74f6b830 True 1
Fn
Map SM-zzbdrimp process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, desired_access = FILE_MAP_WRITE True 1
Fn
User (5)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
Lookup Privilege privilege = SeRestorePrivilege, luid = 18 True 1
Fn
Lookup Privilege privilege = SeLockMemoryPrivilege, luid = 4 True 1
Fn
Lookup Privilege privilege = SeCreateGlobalPrivilege, luid = 30 True 1
Fn
System (43)
»
Operation Additional Information Success Count Logfile
Get Time type = Performance Ctr, time = 23054159384 True 1
Fn
Get Time type = Performance Ctr, time = 24730159553 True 1
Fn
Get Time type = System Time True 20
Fn
Get Time type = Performance Ctr, time = 24851844380 True 1
Fn
Get Time type = Performance Ctr, time = 24870425441 True 1
Fn
Get Time type = Performance Ctr, time = 25000422127 True 1
Fn
Get Time type = Performance Ctr, time = 25020081822 True 1
Fn
Get Time type = Performance Ctr, time = 25090734919 True 1
Fn
Get Time type = Performance Ctr, time = 25106043266 True 1
Fn
Get Time type = Performance Ctr, time = 25353964667 True 1
Fn
Get Time type = Performance Ctr, time = 25374007759 True 1
Fn
Get Time type = Performance Ctr, time = 25570941017 True 1
Fn
Get Time type = Performance Ctr, time = 25583733025 True 1
Fn
Get Time type = Performance Ctr, time = 25819107278 True 1
Fn
Get Time type = Performance Ctr, time = 25838742158 True 1
Fn
Get Time type = Performance Ctr, time = 26012122967 True 1
Fn
Get Time type = Performance Ctr, time = 26039700671 True 1
Fn
Get Time type = Performance Ctr, time = 26241187319 True 1
Fn
Get Time type = Performance Ctr, time = 27601322740 True 1
Fn
Get Time type = Performance Ctr, time = 27640600673 True 1
Fn
Get Time type = Performance Ctr, time = 27757084798 True 1
Fn
Get Time type = Performance Ctr, time = 27784246781 True 1
Fn
Get Info type = Hardware Information True 2
Fn
Mutex (2104)
»
Operation Additional Information Success Count Logfile
Open mutex_name = MX-zzbdrimp, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Release mutex_name = MX-zzbdrimp True 2103
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Debug (10)
»
Operation Process Additional Information Success Count Logfile
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\BCD.LOG True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\pl-PL\memtest.exe.mui True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\es-ES\memtest.exe.mui True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\da-DK\memtest.exe.mui True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\pt-BR\memtest.exe.mui True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\ru-RU\memtest.exe.mui True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\ko-KR\memtest.exe.mui True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\zh-HK\memtest.exe.mui True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1040\SetupResources.dll True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1030\SetupResources.dll True 1
Fn
Process #26: zzbdrimp5619.exe
2784 0
»
Information Value
ID #26
File Name c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe
Command Line C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:02:37, Reason: Child Process
Unmonitor End Time: 00:03:11, Reason: Self Terminated
Monitor Duration 00:00:34
OS Process Information
»
Information Value
PID 0xe5c
Parent PID 0x4e4 (c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x EF8
0x DDC
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\588bce7c90097ed212\1031\SetupResources.dll.locked 18.48 KB MD5: b60ada9e37f84c3d7596bb15f39d8a2d
SHA1: 5fbecefb4ebe83ceaa62de23a04497e019723289
SHA256: 8b1e42bc175eedeb1cd5a3f89e77845d544d608507e3334a977825e44d62a1e6
SSDeep: 384:sSmB1r6TnWwVEbpmt0EOyRmx1B5q5FOgqR4+GG4SMjaI5e1shMsyFPL+1:LQZsnfh0TBx/exEP94Zze1sh3SLk 		False
...
C:\588bce7c90097ed212\1046\SetupResources.dll.locked 17.98 KB MD5: 61c0f69b18931f02a6320146be2ad7f0
SHA1: 48555bd97dc8d896c0cc4f8e8ddb701bb2c0d602
SHA256: 1b956f37a18a5a3de8a34507f786d6175853053582622201242c53293be7b6db
SSDeep: 384:Hd5ZkSDO65E6NFs/u/bj3GbJvJ23ZX6VHUoNlnpQ5OtZlWyFxDF:H/DOb67wuDj3GFvYg1JmOt20DF 		False
...
C:\Boot\nl-NL\memtest.exe.mui.locked 44.55 KB MD5: d9c755f58af0d7756dd462e7edc1f7b1
SHA1: 842d561e246b88e48ba270268304e97a3004135c
SHA256: 8a5dcbd4d10a2bd0291384c41c5dfa5d8a42146954672f32a3526cb3166007fe
SSDeep: 768:Z+h8n6g3grmgXUeuq3K+ZN6xuqyfpJOuTOSaUE/OYStAmMfwQPY+L75qdti++SU2:ZU8n6WgSmXhZNSyhJOuTOSaUE/OYStX1 		False
...
C:\Boot\en-US\memtest.exe.mui.locked 44.05 KB MD5: 5bc8c12af3bdfbba26d4fa50a3c86147
SHA1: 11abad404f6d668aadd1cdeb3b8493520a18ce17
SHA256: e2e261bdd6a60db27678a0ce683a5e3c281ea652f0fccb50c5f3836683fe7f2b
SSDeep: 768:zwe7uq9A+quFeBNsu+ynNjqs8EbLNeEj4ZgaDaBLP52:cw9BYS4pxgbZLDaBLP52 		False
...
C:\Boot\Fonts\segmono_boot.ttf.locked 43.95 KB MD5: 376ac34a15e8fea9d0dddc560f92a42a
SHA1: b3cbde11f428a299a1238873580ad66d810c1fd8
SHA256: ac999b8b4e128f803c711e419ad3d05126150f75b6031ef54342f87c25c28951
SSDeep: 768:6kLbx5989zVOX74r4w+EIQ/K4Q0HfMMP+d9P306Wg3hWet5SYvdQt1A7tNgvEps+:6kx5WoL4r4AIQC4Q0Hv29P3fWg3IeLFp 		False
...
C:\Boot\zh-TW\memtest.exe.mui.locked 41.54 KB MD5: 42bf686db62440e174257bff0b7fce04
SHA1: 0b52d23df8447bf9defedeffc603747f6137d53f
SHA256: 30021ae64e53643734033a3072c8307a330a5a9b4654e19ead87ca76f8810678
SSDeep: 768:ZfTrikXE3L0XZtFu/YAnlTln5b+ADQxyfAxfvJ7OuKjG57pDif9Si:FKkaYXCnlRnJ+AEyfAhoG57pQ5 		False
...
C:\588bce7c90097ed212\Graphics\Setup.ico.locked 35.99 KB MD5: b022890265fd92603b41f2542080194b
SHA1: 0d7ecde272ced36e3e0ec9fc497d97db934012d2
SHA256: c9b1dd9b7ab5470f90292c50df6c523e10707840c8524b54f2de4b16d1e113cd
SSDeep: 768:hznHF8f1sVPgvz++l35BTER+7Bhy3ecUCMwSOOD64tr0wkygJ:hznHFE1sabz5BTEY7BEe1C1xRwu 		False
...
C:\588bce7c90097ed212\1045\SetupResources.dll.locked 17.98 KB MD5: d8746bdf3eeeb8b2da24a834ae2aca89
SHA1: d22e02cbe55d626a75cbf0ff8d821df0b8249950
SHA256: a61aa1f2ef10b1006e6d90330c9cb8ce80d5deeb361d21630de694ff0e70d2cf
SSDeep: 384:uDCug6ljjotH4X/sDLMC0/kBkGutJaZ5RO5+YZ:PugijCD34cyGut25RO5NZ 		False
...
C:\588bce7c90097ed212\1025\SetupResources.dll.locked 16.98 KB MD5: d31d5b54434f8c8ee5d45737a1b5f691
SHA1: dee9a88fc9ee41faaa1773dd4af7373bfb4160a6
SHA256: ca9ddb547b3f10300bd74a491105aedf63fba5528aefc7a85989ef9e4028e2e4
SSDeep: 384:htrDMTDbZkayGorLEyDp35rsTHoR2HsYhwhHFiU:DPMTZyprNnrIMYehliU 		False
...
C:\588bce7c90097ed212\1028\SetupResources.dll.locked 13.98 KB MD5: 488663a780bfbace65d81982cdbc5cbf
SHA1: f22a44df6c9fe0c27bb24a0b8f468fc932f4a090
SHA256: feadd9ab98c978b8469dece2c8dbe6c909b8a883f122c3439a6081a59a575960
SSDeep: 384:9jhi04JTFjJX4iom4Rgxk/TCmqhQ8i6bBf:9jhmPoTga/GmqhvZ 		False
...
Host Behavior
File (102)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Boot\nl-NL\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\nl-NL\memtest.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\Boot\en-US\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\en-US\memtest.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\Boot\Fonts\segmono_boot.ttf type = file_attributes True 3
Fn
Get Info C:\Boot\Fonts\segmono_boot.ttf.locked type = file_attributes False 1
Fn
Get Info C:\Boot\zh-TW\memtest.exe.mui type = file_attributes True 3
Fn
Get Info C:\Boot\zh-TW\memtest.exe.mui.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\Graphics\Setup.ico type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\Graphics\Setup.ico.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1031\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1031\SetupResources.dll.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1046\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1046\SetupResources.dll.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1045\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1045\SetupResources.dll.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1025\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1025\SetupResources.dll.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1028\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1028\SetupResources.dll.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\Graphics\stop.ico type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\Graphics\stop.ico.locked type = file_attributes False 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Open \??\\C:\Boot\nl-NL\memtest.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\en-US\memtest.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\Fonts\segmono_boot.ttf.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\zh-TW\memtest.exe.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\Graphics\Setup.ico.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1031\SetupResources.dll.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1046\SetupResources.dll.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1045\SetupResources.dll.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1025\SetupResources.dll.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1028\SetupResources.dll.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\Graphics\stop.ico.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open Mapping SM-zzbdrimp desired_access = FILE_MAP_COPY, FILE_MAP_WRITE True 1
Fn
Move C:\Boot\nl-NL\memtest.exe.mui.locked source_filename = C:\Boot\nl-NL\memtest.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\en-US\memtest.exe.mui.locked source_filename = C:\Boot\en-US\memtest.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\Fonts\segmono_boot.ttf.locked source_filename = C:\Boot\Fonts\segmono_boot.ttf, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\zh-TW\memtest.exe.mui.locked source_filename = C:\Boot\zh-TW\memtest.exe.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\Graphics\Setup.ico.locked source_filename = C:\588bce7c90097ed212\Graphics\Setup.ico, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1031\SetupResources.dll.locked source_filename = C:\588bce7c90097ed212\1031\SetupResources.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1046\SetupResources.dll.locked source_filename = C:\588bce7c90097ed212\1046\SetupResources.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1045\SetupResources.dll.locked source_filename = C:\588bce7c90097ed212\1045\SetupResources.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1025\SetupResources.dll.locked source_filename = C:\588bce7c90097ed212\1025\SetupResources.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1028\SetupResources.dll.locked source_filename = C:\588bce7c90097ed212\1028\SetupResources.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\Graphics\stop.ico.locked source_filename = C:\588bce7c90097ed212\Graphics\stop.ico, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Read \??\\C:\Boot\nl-NL\memtest.exe.mui.locked size = 45472, size_out = 45472 True 1
Fn
Data
Read \??\\C:\Boot\en-US\memtest.exe.mui.locked size = 44960, size_out = 44960 True 1
Fn
Data
Read \??\\C:\Boot\Fonts\segmono_boot.ttf.locked size = 44859, size_out = 44859 True 1
Fn
Data
Read \??\\C:\Boot\zh-TW\memtest.exe.mui.locked size = 42392, size_out = 42392 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\Graphics\Setup.ico.locked size = 36710, size_out = 36710 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1031\SetupResources.dll.locked size = 18776, size_out = 18776 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1046\SetupResources.dll.locked size = 18264, size_out = 18264 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1045\SetupResources.dll.locked size = 18264, size_out = 18264 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1025\SetupResources.dll.locked size = 17240, size_out = 17240 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1028\SetupResources.dll.locked size = 14168, size_out = 14168 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\Graphics\stop.ico.locked size = 10134, size_out = 10134 True 1
Fn
Data
Write \??\\C:\Boot\nl-NL\memtest.exe.mui.locked offset = 0, size = 45476 True 1
Fn
Data
Write \??\\C:\Boot\nl-NL\memtest.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\en-US\memtest.exe.mui.locked offset = 0, size = 44964 True 1
Fn
Data
Write \??\\C:\Boot\en-US\memtest.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\segmono_boot.ttf.locked offset = 0, size = 44863 True 1
Fn
Data
Write \??\\C:\Boot\Fonts\segmono_boot.ttf.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\zh-TW\memtest.exe.mui.locked offset = 0, size = 42396 True 1
Fn
Data
Write \??\\C:\Boot\zh-TW\memtest.exe.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Graphics\Setup.ico.locked offset = 0, size = 36714 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Graphics\Setup.ico.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1031\SetupResources.dll.locked offset = 0, size = 18780 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1031\SetupResources.dll.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1046\SetupResources.dll.locked offset = 0, size = 18268 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1046\SetupResources.dll.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1045\SetupResources.dll.locked offset = 0, size = 18268 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1045\SetupResources.dll.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1025\SetupResources.dll.locked offset = 0, size = 17244 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1025\SetupResources.dll.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1028\SetupResources.dll.locked offset = 0, size = 14172 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1028\SetupResources.dll.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Graphics\stop.ico.locked offset = 0, size = 10138 True 1
Fn
Data
Module (79)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load Rstrtmgr.dll base_address = 0x744f0000 True 1
Fn
Load ntdll.dll base_address = 0x77bb0000 True 1
Fn
Load api-ms-win-core-sysinfo-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load kernel32 base_address = 0x75e90000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75e90000 True 3
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77bb0000 True 1
Fn
Get Handle c:\users\fd1hvy\appdata\local\temp\zzbdr base_address = 0x11a0000 True 2
Fn
Get Filename - process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, file_name_orig = C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsAlloc, address_out = 0x74f9bea0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsSetValue, address_out = 0x74f92550 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = InitializeCriticalSectionEx, address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsGetValue, address_out = 0x74f870c0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f7ed00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75ea4ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75ea4b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75ea4b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75ea4b40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75efebc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitOnceExecuteOnce, address_out = 0x74f95550 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x75efeb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x75efeb90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x75efeb80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75ea6d30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x77bfd7c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x77bfb740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75ea6d70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x77bfc0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x77bfbe10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77c22b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77c152f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x75ea4510 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x74f9e260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75ea0db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleEx, address_out = 0x75ea43d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandle, address_out = 0x75eff110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x75eff1e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeConditionVariable, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WakeConditionVariable, address_out = 0x77c88c50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll address_out = 0x77c18a90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableCS, address_out = 0x7500fca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSRWLock, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AcquireSRWLockExclusive, address_out = 0x77bf58e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TryAcquireSRWLockExclusive, address_out = 0x77c72ce0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseSRWLockExclusive, address_out = 0x77bf83a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableSRW, address_out = 0x7500fcf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWork, address_out = 0x75ea6db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SubmitThreadpoolWork, address_out = 0x77bfeb00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWork, address_out = 0x77bfed50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x75ea7050 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x75ea7190 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x75ea7480 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateHardLinkW, address_out = 0x75ea44f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySection, address_out = 0x77c22220 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmStartSession, address_out = 0x744f7930 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmRegisterResources, address_out = 0x744f7660 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmGetList, address_out = 0x744f74f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtOpenFile, address_out = 0x77c22040 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtClose, address_out = 0x77c21de0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtReadFile, address_out = 0x77c21d50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtWriteFile, address_out = 0x77c21d70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitUnicodeString, address_out = 0x77c242f0 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x74f6b830 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AreFileApisANSI, address_out = 0x75ea4280 True 1
Fn
Map SM-zzbdrimp process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, desired_access = FILE_MAP_WRITE True 1
Fn
User (5)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
Lookup Privilege privilege = SeRestorePrivilege, luid = 18 True 1
Fn
Lookup Privilege privilege = SeLockMemoryPrivilege, luid = 4 True 1
Fn
Lookup Privilege privilege = SeCreateGlobalPrivilege, luid = 30 True 1
Fn
System (47)
»
Operation Additional Information Success Count Logfile
Get Time type = Performance Ctr, time = 25013068090 True 1
Fn
Get Time type = Performance Ctr, time = 25370550746 True 1
Fn
Get Time type = System Time True 22
Fn
Get Time type = Performance Ctr, time = 25407843480 True 1
Fn
Get Time type = Performance Ctr, time = 25572788582 True 1
Fn
Get Time type = Performance Ctr, time = 25587547246 True 1
Fn
Get Time type = Performance Ctr, time = 25781768727 True 1
Fn
Get Time type = Performance Ctr, time = 25796327791 True 1
Fn
Get Time type = Performance Ctr, time = 25960112073 True 1
Fn
Get Time type = Performance Ctr, time = 25984784278 True 1
Fn
Get Time type = Performance Ctr, time = 26010570819 True 1
Fn
Get Time type = Performance Ctr, time = 26038799721 True 1
Fn
Get Time type = Performance Ctr, time = 26213523726 True 1
Fn
Get Time type = Performance Ctr, time = 26221562291 True 1
Fn
Get Time type = Performance Ctr, time = 27579519517 True 1
Fn
Get Time type = Performance Ctr, time = 27611767070 True 1
Fn
Get Time type = Performance Ctr, time = 27737711861 True 1
Fn
Get Time type = Performance Ctr, time = 27783261151 True 1
Fn
Get Time type = Performance Ctr, time = 27863283729 True 1
Fn
Get Time type = Performance Ctr, time = 27876411209 True 1
Fn
Get Time type = Performance Ctr, time = 27986304096 True 1
Fn
Get Time type = Performance Ctr, time = 27992407316 True 1
Fn
Get Time type = Performance Ctr, time = 28055789697 True 1
Fn
Get Time type = Performance Ctr, time = 28077351421 True 1
Fn
Get Info type = Hardware Information True 2
Fn
Mutex (2521)
»
Operation Additional Information Success Count Logfile
Open mutex_name = MX-zzbdrimp, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Release mutex_name = MX-zzbdrimp True 2520
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Debug (10)
»
Operation Process Additional Information Success Count Logfile
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\nl-NL\memtest.exe.mui True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\en-US\memtest.exe.mui True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\Fonts\segmono_boot.ttf True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\zh-TW\memtest.exe.mui True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\Graphics\Setup.ico True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1046\SetupResources.dll True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1045\SetupResources.dll True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1025\SetupResources.dll True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1028\SetupResources.dll True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\Graphics\stop.ico True 1
Fn
Process #27: zzbdrimp5619.exe
1920 0
»
Information Value
ID #27
File Name c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe
Command Line C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:02:46, Reason: Child Process
Unmonitor End Time: 00:03:15, Reason: Self Terminated
Monitor Duration 00:00:28
OS Process Information
»
Information Value
PID 0xfc4
Parent PID 0x4e4 (c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 754
0x 26C
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\588bce7c90097ed212\1029\SetupResources.dll.locked 17.98 KB MD5: a1e355ea0e2c59e8f24dabb70b3bc84f
SHA1: c983630941fe732e27464b9d21dd675fc5ac211b
SHA256: db1cfdbc69a77e3d7315ece0aa905f743a94fcdb60ce5d318bcc14bb734ea376
SSDeep: 384:cQVkO2FtsyHyQc4HcB1SbgLU5+zhApMvH77mSWgkbFjL2yFbh:cQVkBtsySQc4SS0sizCSr+j1N 		False
...
C:\588bce7c90097ed212\SetupUi.xsd.locked 29.56 KB MD5: e6f03e92e01c501b1247a88166f7f069
SHA1: 24e4beae665c814da631ce036748a824b47f0a87
SHA256: 3707b0df06f33584ab352f2a0f080c55f5754ea0601cf8273ae6f06563ec31e8
SSDeep: 768:pzDvkFxoLa1SyQuh5at+jUi+Uw0+3TMDDVJv9W7zLFIF6:pzDvknoO1+uHIK+jMXVJU3Fz 		False
...
C:\588bce7c90097ed212\3082\SetupResources.dll.locked 18.48 KB MD5: 6fcb5fbc69fc68d4d1ddd8a2169605c8
SHA1: 754b12882a6422cca92f13c443e0f73635574a21
SHA256: 9a663e5994fb1fab96cf385f3c4658113bec1e01f50e7b9a8335b126c27b6c02
SSDeep: 384:jSKywp8R9bodReu/oDR4b493k+KwuU15db83lxA4eVEHkFtOisp5Gs2/:Wec4euubpSUHdb81xKtI5Gs4 		False
...
C:\588bce7c90097ed212\1035\SetupResources.dll.locked 17.98 KB MD5: d56f9dd99053ee61742d7ef72494b854
SHA1: ccc76115cf50f8e1fb865290c5d4a12f0088e6ba
SHA256: 82687c87417a123243d0d0d76be9ec3d677844d6d2ec32244b5c3ec6a36f620b
SSDeep: 384:kAgPUXXSpF1582Xgapts2tiMMa7TE6gUh5IhRw3ONUNt:jgPSXSpO2rpDtiIlgU7yw30UH 		False
...
C:\588bce7c90097ed212\1053\SetupResources.dll.locked 17.48 KB MD5: c6fabcc11a48bd7246208d938f7b4669
SHA1: 3df37aab90f981ac54af851c3d88bd6caa435e93
SHA256: 4b5aaea5d11a310a7cc575dbb81abef601e152689819a30ffb06ceaf99c645e7
SSDeep: 384:XTmS4eWqRzy4ZmyeKMgivQI5EDtkQVPgzvMG8un:DXzzy4ZX/MMdgz0cn 		False
...
C:\588bce7c90097ed212\1037\SetupResources.dll.locked 16.48 KB MD5: 6fbc861616aaf7d04d4365599bbdf832
SHA1: e50ee665b348864e7fc297062266b7cd2291db9b
SHA256: f7fa50e678dc3ce51ca80300bb69f0f5bbb597073e58de2484607912b82aa8a9
SSDeep: 384:urom6vFsQLf53n7k8IeGN3tDcWlHkD1fONGmFTfYojnqfe:gIvFZLhr5K3tQWlHkJfUeoGfe 		False
...
C:\588bce7c90097ed212\3076\SetupResources.dll.locked 13.98 KB MD5: 5316605c3a4e87c88906303858a881d0
SHA1: fddc53ce8d70b01f8a244438d1b5cffbf76f516d
SHA256: 4301a7cb61c3b7b36219af126026db07f4bef03d67b4401b445439c7ca4606b9
SSDeep: 384:LmjKMuTAdazHM6e53gt5hGmOWKGsE3SvIFgzI4gil:Ah53U5P1sMWI6c4Fl 		False
...
C:\588bce7c90097ed212\Graphics\warn.ico.locked 10.04 KB MD5: 55c3dd517cce68d2824ed519860466e8
SHA1: 29e45c010c10d09f762e8f9366625c5d6a7d5e40
SHA256: d15847581fb6a682e2341076d4ad1d4a2d11c9d66d1ccc5cf5b9444299168386
SSDeep: 192:2lEeuQwYCnMVJ50khTepmXiNZTs3fWGY6H/Sg8y+Ppl6yk:rLMZ0khq4eZYPq6fEXle 		False
...
C:\BOOTSECT.BAK.locked 8.14 KB MD5: 30e0e120068bbe156b146c41ed63299b
SHA1: a8737a15e020f563542ddc390867da439c39936a
SHA256: 324a2a9db74e077e979893b22298560450ee9b1328bf2677de74ca4cfc6f5288
SSDeep: 192:y5kyWNmm5x/FuVo4S7KNgoOByHZTEN4J03At8RO+XDzw:enm5BF/KNghb4JxmROUDzw 		False
...
C:\588bce7c90097ed212\1037\eula.rtf.locked 6.83 KB MD5: bb5aaad9cb4c5d3ef9fe69353db08701
SHA1: 005a9a1ddc591fa1e50575ffece3b3c55b095ad8
SHA256: c1660e13083f15b03866d59229b10cd6d0a88f63f9dfb4228b8d20329e5fc7b6
SSDeep: 192:+B0Cr4Rep+32ETF+sFgXn81bTL3dUs3T+g0Bhr3:+B024hxF+e8n8hPdOBhr3 		False
...
C:\588bce7c90097ed212\1053\eula.rtf.locked 3.92 KB MD5: 4edbe8539edc95b71f8b572dde4fa7f2
SHA1: 56efe68107b258e00eb9fa40f205a68ec66f2754
SHA256: aa29d0a7754f287618d24b5035f9e3cd86f1d1042cae64c9c057db58b072be8e
SSDeep: 96:6qe70E+040n34gSRmRsUXwrSoER2lrjXkR+fueO:w7340nIgi0PXzoERwAgfuz 		False
...
Host Behavior
File (103)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\588bce7c90097ed212\SetupUi.xsd type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\SetupUi.xsd.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\3082\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\3082\SetupResources.dll.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1035\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1035\SetupResources.dll.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1029\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1029\SetupResources.dll.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1053\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1053\SetupResources.dll.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1037\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1037\SetupResources.dll.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\3076\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\3076\SetupResources.dll.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\Graphics\warn.ico type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\Graphics\warn.ico.locked type = file_attributes False 1
Fn
Get Info C:\BOOTSECT.BAK type = file_attributes True 3
Fn
Get Info C:\BOOTSECT.BAK.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1037\eula.rtf type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1037\eula.rtf.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1053\eula.rtf type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1053\eula.rtf.locked type = file_attributes False 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Open \??\\C:\588bce7c90097ed212\SetupUi.xsd.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\3082\SetupResources.dll.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1035\SetupResources.dll.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1029\SetupResources.dll.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1053\SetupResources.dll.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1037\SetupResources.dll.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\3076\SetupResources.dll.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\Graphics\warn.ico.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\BOOTSECT.BAK.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1037\eula.rtf.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1053\eula.rtf.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open Mapping SM-zzbdrimp desired_access = FILE_MAP_COPY, FILE_MAP_WRITE True 1
Fn
Move C:\588bce7c90097ed212\SetupUi.xsd.locked source_filename = C:\588bce7c90097ed212\SetupUi.xsd, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\3082\SetupResources.dll.locked source_filename = C:\588bce7c90097ed212\3082\SetupResources.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1035\SetupResources.dll.locked source_filename = C:\588bce7c90097ed212\1035\SetupResources.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1029\SetupResources.dll.locked source_filename = C:\588bce7c90097ed212\1029\SetupResources.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1053\SetupResources.dll.locked source_filename = C:\588bce7c90097ed212\1053\SetupResources.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1037\SetupResources.dll.locked source_filename = C:\588bce7c90097ed212\1037\SetupResources.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\3076\SetupResources.dll.locked source_filename = C:\588bce7c90097ed212\3076\SetupResources.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\Graphics\warn.ico.locked source_filename = C:\588bce7c90097ed212\Graphics\warn.ico, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\BOOTSECT.BAK.locked source_filename = C:\BOOTSECT.BAK, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1037\eula.rtf.locked source_filename = C:\588bce7c90097ed212\1037\eula.rtf, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1053\eula.rtf.locked source_filename = C:\588bce7c90097ed212\1053\eula.rtf, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Read \??\\C:\588bce7c90097ed212\SetupUi.xsd.locked size = 30120, size_out = 30120 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\3082\SetupResources.dll.locked size = 18776, size_out = 18776 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1035\SetupResources.dll.locked size = 18264, size_out = 18264 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1029\SetupResources.dll.locked size = 18264, size_out = 18264 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1053\SetupResources.dll.locked size = 17752, size_out = 17752 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1037\SetupResources.dll.locked size = 16728, size_out = 16728 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\3076\SetupResources.dll.locked size = 14168, size_out = 14168 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\Graphics\warn.ico.locked size = 10134, size_out = 10134 True 1
Fn
Data
Read \??\\C:\BOOTSECT.BAK.locked size = 8192, size_out = 8192 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1037\eula.rtf.locked size = 6851, size_out = 6851 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1053\eula.rtf.locked size = 3865, size_out = 3865 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\SetupUi.xsd.locked offset = 0, size = 30124 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\SetupUi.xsd.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\3082\SetupResources.dll.locked offset = 0, size = 18780 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\3082\SetupResources.dll.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1035\SetupResources.dll.locked offset = 0, size = 18268 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1035\SetupResources.dll.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1029\SetupResources.dll.locked offset = 0, size = 18268 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1029\SetupResources.dll.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1053\SetupResources.dll.locked offset = 0, size = 17756 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1053\SetupResources.dll.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1037\SetupResources.dll.locked offset = 0, size = 16732 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1037\SetupResources.dll.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\3076\SetupResources.dll.locked offset = 0, size = 14172 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\3076\SetupResources.dll.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Graphics\warn.ico.locked offset = 0, size = 10138 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Graphics\warn.ico.locked size = 144 True 1
Fn
Data
Write \??\\C:\BOOTSECT.BAK.locked offset = 0, size = 8196 True 1
Fn
Data
Write \??\\C:\BOOTSECT.BAK.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1037\eula.rtf.locked offset = 0, size = 6855 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1037\eula.rtf.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1053\eula.rtf.locked offset = 0, size = 3869 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1053\eula.rtf.locked size = 144 True 1
Fn
Data
Module (77)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load Rstrtmgr.dll base_address = 0x744f0000 True 1
Fn
Load ntdll.dll base_address = 0x77bb0000 True 1
Fn
Load api-ms-win-core-sysinfo-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75e90000 True 3
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77bb0000 True 1
Fn
Get Handle c:\users\fd1hvy\appdata\local\temp\zzbdr base_address = 0x11a0000 True 2
Fn
Get Filename - process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, file_name_orig = C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsAlloc, address_out = 0x74f9bea0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsSetValue, address_out = 0x74f92550 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = InitializeCriticalSectionEx, address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsGetValue, address_out = 0x74f870c0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f7ed00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75ea4ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75ea4b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75ea4b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75ea4b40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75efebc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitOnceExecuteOnce, address_out = 0x74f95550 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x75efeb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x75efeb90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x75efeb80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75ea6d30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x77bfd7c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x77bfb740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75ea6d70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x77bfc0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x77bfbe10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77c22b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77c152f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x75ea4510 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x74f9e260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75ea0db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleEx, address_out = 0x75ea43d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandle, address_out = 0x75eff110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x75eff1e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeConditionVariable, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WakeConditionVariable, address_out = 0x77c88c50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll address_out = 0x77c18a90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableCS, address_out = 0x7500fca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSRWLock, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AcquireSRWLockExclusive, address_out = 0x77bf58e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TryAcquireSRWLockExclusive, address_out = 0x77c72ce0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseSRWLockExclusive, address_out = 0x77bf83a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableSRW, address_out = 0x7500fcf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWork, address_out = 0x75ea6db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SubmitThreadpoolWork, address_out = 0x77bfeb00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWork, address_out = 0x77bfed50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x75ea7050 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x75ea7190 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x75ea7480 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateHardLinkW, address_out = 0x75ea44f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySection, address_out = 0x77c22220 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmStartSession, address_out = 0x744f7930 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmRegisterResources, address_out = 0x744f7660 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmGetList, address_out = 0x744f74f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtOpenFile, address_out = 0x77c22040 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtClose, address_out = 0x77c21de0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtReadFile, address_out = 0x77c21d50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtWriteFile, address_out = 0x77c21d70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitUnicodeString, address_out = 0x77c242f0 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x74f6b830 True 1
Fn
Map SM-zzbdrimp process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, desired_access = FILE_MAP_WRITE True 1
Fn
User (5)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
Lookup Privilege privilege = SeRestorePrivilege, luid = 18 True 1
Fn
Lookup Privilege privilege = SeLockMemoryPrivilege, luid = 4 True 1
Fn
Lookup Privilege privilege = SeCreateGlobalPrivilege, luid = 30 True 1
Fn
System (47)
»
Operation Additional Information Success Count Logfile
Get Time type = Performance Ctr, time = 25917239845 True 1
Fn
Get Time type = Performance Ctr, time = 26059624146 True 1
Fn
Get Time type = System Time True 22
Fn
Get Time type = Performance Ctr, time = 26077078645 True 1
Fn
Get Time type = Performance Ctr, time = 26216882225 True 1
Fn
Get Time type = Performance Ctr, time = 26231629725 True 1
Fn
Get Time type = Performance Ctr, time = 27583952506 True 1
Fn
Get Time type = Performance Ctr, time = 27616285996 True 1
Fn
Get Time type = Performance Ctr, time = 27733350941 True 1
Fn
Get Time type = Performance Ctr, time = 27777240251 True 1
Fn
Get Time type = Performance Ctr, time = 27826863320 True 1
Fn
Get Time type = Performance Ctr, time = 27848025907 True 1
Fn
Get Time type = Performance Ctr, time = 27898842852 True 1
Fn
Get Time type = Performance Ctr, time = 27919309173 True 1
Fn
Get Time type = Performance Ctr, time = 27980267677 True 1
Fn
Get Time type = Performance Ctr, time = 27998534564 True 1
Fn
Get Time type = Performance Ctr, time = 28071358791 True 1
Fn
Get Time type = Performance Ctr, time = 28093549062 True 1
Fn
Get Time type = Performance Ctr, time = 28211591847 True 1
Fn
Get Time type = Performance Ctr, time = 28228555896 True 1
Fn
Get Time type = Performance Ctr, time = 28359683478 True 1
Fn
Get Time type = Performance Ctr, time = 28372355803 True 1
Fn
Get Time type = Performance Ctr, time = 28458616899 True 1
Fn
Get Time type = Performance Ctr, time = 28493734052 True 1
Fn
Get Info type = Hardware Information True 2
Fn
Mutex (1657)
»
Operation Additional Information Success Count Logfile
Open mutex_name = MX-zzbdrimp, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Release mutex_name = MX-zzbdrimp True 1656
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Debug (10)
»
Operation Process Additional Information Success Count Logfile
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\SetupUi.xsd True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1035\SetupResources.dll True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1029\SetupResources.dll True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1053\SetupResources.dll True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1037\SetupResources.dll True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\3076\SetupResources.dll True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\Graphics\warn.ico True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\BOOTSECT.BAK True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1037\eula.rtf True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1053\eula.rtf True 1
Fn
Process #28: zzbdrimp5619.exe
1644 0
»
Information Value
ID #28
File Name c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe
Command Line C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:02:47, Reason: Child Process
Unmonitor End Time: 00:03:16, Reason: Self Terminated
Monitor Duration 00:00:29
OS Process Information
»
Information Value
PID 0xa88
Parent PID 0x4e4 (c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 738
0x F88
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\588bce7c90097ed212\1043\SetupResources.dll.locked 18.98 KB MD5: 2bf4c841aa928736e560dcc5dc65e1d3
SHA1: 5ef4f1d33bea7587227c722e2f41a52064255b15
SHA256: 2cd6442a82dc3a2a5fea15ee12faa6428a0dc8569b8aedbc634eca546cd87dab
SSDeep: 384:2v6rWS7BQb5nRaiafEkL/GinpkrSCGgn0HLId6cU2w9fD0NvInOVA:2vMiJRbYfiypoSH4agM2WD0Nv2OVA 		False
...
C:\588bce7c90097ed212\2070\SetupResources.dll.locked 18.48 KB MD5: 7517e39d02963cccf393d9bd99b3bab6
SHA1: 1c2d712ae87f7e7a922bb09425d6759b67f2c4c8
SHA256: 41e6946fc3a7225223e8bbe7a13d9b2508786b6b903dd1fb4c7a24d4376ef3ca
SSDeep: 384:gXsUvob4kHqTVEgSOaW45rpKRZNqoDdiId28kW7s3I:7Uvob7IVzETjQoIU8XuI 		False
...
C:\588bce7c90097ed212\1036\SetupResources.dll.locked 18.48 KB MD5: 872a120d22f4b27915634ffcf3bac109
SHA1: 5cbda1706a26fda06091606a22db73cf055f1458
SHA256: 14dd9da607bcebb2a73d0737f9a655b35cf92330e0d2b4d052e3cae776ec0b0e
SSDeep: 384:KoD6ZzX0TpHu0qzULFZ6eQVbByyDf5ObDTGjUqFHe0K5dvoNjJyVEHRkw:KoD6ZAu0RFZbQOyrIDT1AeDdwNj0ERkw 		False
...
C:\588bce7c90097ed212\1044\SetupResources.dll.locked 17.48 KB MD5: 9effa7d58ef9fca6b3fd90fc5603fdd1
SHA1: 55dbca20b13d32ca4b5fcbd08dcfc7e139291f81
SHA256: 1fbb43ad013bab99917138e759e1e2b2f286cc7e48ed1671a670a0bf058f76d7
SSDeep: 384:DkAPrzZBsdkTrid/JK6QJWmmxWxQ/mOwpagFkmfN0CaV7VpAa9:oAPTr+Q3cWYdgFkcB47VH9 		False
...
C:\588bce7c90097ed212\1055\SetupResources.dll.locked 17.48 KB MD5: 8cc69601ab2e4ff342b58b7be9c05822
SHA1: ca5c77ed70bfa05d467c7d0fe2abca996b33214a
SHA256: 4a87abdf1e5475a62f8273c1e8a736e45d2de38383b1f23500390c943f1bb5f5
SSDeep: 384:vBvqhzK5UFrMv0/2SaaD5GlHkeCzqcE7LIFMO7nzYwHOydfQSc:vkz0yt+St1YkeCzqb4METnu 		False
...
C:\588bce7c90097ed212\1033\SetupResources.dll.locked 16.98 KB MD5: eee9654831a6aa4c47fc14ef0baef6a1
SHA1: f0ffafc157ab8ca7ef6cc3d6657713f36594c0f7
SHA256: d593d05afa8c9d60b90fe83a66377ace88afffc387b1017da4e04feb98f1e053
SSDeep: 384:al/r7m8oyYjG5SZg++Fjx3ZUuI6U11R6MYqIxe+8Tt5/2qami9YQCa:apr7mBjC5OgxFjJDI6e1/zami9v 		False
...
C:\588bce7c90097ed212\1041\SetupResources.dll.locked 15.48 KB MD5: bf1433919149b4a08cebf23e3affeb2a
SHA1: d2b57e7ea03753fe0409cfc1f71536b6694c0a27
SHA256: c6e7227a2c44ec93cd0ac5931fd39c8bfb09a001c56107fd1aece519e5cdfc89
SSDeep: 384:/s52E2K6gRTgXDmyeXQUU66aILwrSeowhRId:/02qlTQmy6QUUbpLcSpqRu 		False
...
C:\Boot\Resources\en-US\bootres.dll.mui.locked 12.05 KB MD5: 5888cfa952f334d1cdc54e4e5a6d5915
SHA1: 2501d18887b289fc92c491e36f102176299f5a80
SHA256: 6a63e65bb2662f3f04821ab164c24b275a545f7703fa8cf0d5b15481a9a9abbe
SSDeep: 384:x7ae6K8Qampe+c89TBZFgERMlG26+8NSb:VUITBvqGNy 		False
...
C:\588bce7c90097ed212\2052\eula.rtf.locked 5.83 KB MD5: 7f314164372021f234bf3dd650c64533
SHA1: 81faf7d675dfa19947e69da34cd1bed2da0d56d2
SHA256: 4ec2272a7402606fe4ffe9b5eb33e71200fc01790c677f82811f4e3f697c1e12
SSDeep: 96:EFkE3zUCoQcJZQ6RkA7fzhFtEprqcLwcwquzBhDc+ObKJW7ziRjyy2DIgjpoTmJ2:EFkAYscJZv+AvbtSgLcqJW7zLEmJqT53 		False
...
C:\588bce7c90097ed212\2070\eula.rtf.locked 4.07 KB MD5: 62655080ea161f2cc3efe252e992d5a0
SHA1: 92880171ac4677b18663b5597445fd5561d52935
SHA256: 364b4e72d69b9118aec58a2353ded313945b2e43bb1dbc919281ea8dc18cdd8f
SSDeep: 96:S3627MEJwD0FOqdqYnSQdLfxF4+RcVLuuTV:5K99BxFDmVLuu5 		False
...
C:\588bce7c90097ed212\1035\eula.rtf.locked 3.76 KB MD5: 0e157a1cb87740748dd0ce7a268f09c6
SHA1: f91d2b1bff6e51f08fa5aa9f26d2551e0b0d6c7f
SHA256: 68a06e8d88b615afe829b1b599afcaf8acd2af2895b2228a343d77218c8e1568
SSDeep: 96:lStmhqxn2SKQwvA2rhowF0xyVdnwD/PDwnrFU5h8rGfT:lStmhqx2SEvAYhZyy3acrFC8YT 		False
...
Host Behavior
File (103)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\588bce7c90097ed212\1043\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1043\SetupResources.dll.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\2070\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\2070\SetupResources.dll.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1036\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1036\SetupResources.dll.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1044\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1044\SetupResources.dll.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1055\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1055\SetupResources.dll.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1033\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1033\SetupResources.dll.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1041\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1041\SetupResources.dll.locked type = file_attributes False 1
Fn
Get Info C:\Boot\Resources\en-US\bootres.dll.mui type = file_attributes True 3
Fn
Get Info C:\Boot\Resources\en-US\bootres.dll.mui.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\2052\eula.rtf type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\2052\eula.rtf.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\2070\eula.rtf type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\2070\eula.rtf.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1035\eula.rtf type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1035\eula.rtf.locked type = file_attributes False 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Open \??\\C:\588bce7c90097ed212\1043\SetupResources.dll.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\2070\SetupResources.dll.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1036\SetupResources.dll.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1044\SetupResources.dll.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1055\SetupResources.dll.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1033\SetupResources.dll.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1041\SetupResources.dll.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\Resources\en-US\bootres.dll.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\2052\eula.rtf.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\2070\eula.rtf.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1035\eula.rtf.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open Mapping SM-zzbdrimp desired_access = FILE_MAP_COPY, FILE_MAP_WRITE True 1
Fn
Move C:\588bce7c90097ed212\1043\SetupResources.dll.locked source_filename = C:\588bce7c90097ed212\1043\SetupResources.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\2070\SetupResources.dll.locked source_filename = C:\588bce7c90097ed212\2070\SetupResources.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1036\SetupResources.dll.locked source_filename = C:\588bce7c90097ed212\1036\SetupResources.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1044\SetupResources.dll.locked source_filename = C:\588bce7c90097ed212\1044\SetupResources.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1055\SetupResources.dll.locked source_filename = C:\588bce7c90097ed212\1055\SetupResources.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1033\SetupResources.dll.locked source_filename = C:\588bce7c90097ed212\1033\SetupResources.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1041\SetupResources.dll.locked source_filename = C:\588bce7c90097ed212\1041\SetupResources.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\Resources\en-US\bootres.dll.mui.locked source_filename = C:\Boot\Resources\en-US\bootres.dll.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\2052\eula.rtf.locked source_filename = C:\588bce7c90097ed212\2052\eula.rtf, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\2070\eula.rtf.locked source_filename = C:\588bce7c90097ed212\2070\eula.rtf, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1035\eula.rtf.locked source_filename = C:\588bce7c90097ed212\1035\eula.rtf, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Read \??\\C:\588bce7c90097ed212\1043\SetupResources.dll.locked size = 19288, size_out = 19288 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\2070\SetupResources.dll.locked size = 18776, size_out = 18776 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1036\SetupResources.dll.locked size = 18776, size_out = 18776 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1044\SetupResources.dll.locked size = 17752, size_out = 17752 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1055\SetupResources.dll.locked size = 17752, size_out = 17752 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1033\SetupResources.dll.locked size = 17240, size_out = 17240 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1041\SetupResources.dll.locked size = 15704, size_out = 15704 True 1
Fn
Data
Read \??\\C:\Boot\Resources\en-US\bootres.dll.mui.locked size = 12192, size_out = 12192 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\2052\eula.rtf.locked size = 5827, size_out = 5827 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\2070\eula.rtf.locked size = 4015, size_out = 4015 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1035\eula.rtf.locked size = 3702, size_out = 3702 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1043\SetupResources.dll.locked offset = 0, size = 19292 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1043\SetupResources.dll.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\2070\SetupResources.dll.locked offset = 0, size = 18780 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\2070\SetupResources.dll.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1036\SetupResources.dll.locked offset = 0, size = 18780 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1036\SetupResources.dll.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1044\SetupResources.dll.locked offset = 0, size = 17756 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1044\SetupResources.dll.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1055\SetupResources.dll.locked offset = 0, size = 17756 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1055\SetupResources.dll.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1033\SetupResources.dll.locked offset = 0, size = 17244 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1033\SetupResources.dll.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1041\SetupResources.dll.locked offset = 0, size = 15708 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1041\SetupResources.dll.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\Resources\en-US\bootres.dll.mui.locked offset = 0, size = 12196 True 1
Fn
Data
Write \??\\C:\Boot\Resources\en-US\bootres.dll.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\2052\eula.rtf.locked offset = 0, size = 5831 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\2052\eula.rtf.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\2070\eula.rtf.locked offset = 0, size = 4019 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\2070\eula.rtf.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1035\eula.rtf.locked offset = 0, size = 3706 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1035\eula.rtf.locked size = 144 True 1
Fn
Data
Module (77)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load Rstrtmgr.dll base_address = 0x744f0000 True 1
Fn
Load ntdll.dll base_address = 0x77bb0000 True 1
Fn
Load api-ms-win-core-sysinfo-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75e90000 True 3
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77bb0000 True 1
Fn
Get Handle c:\users\fd1hvy\appdata\local\temp\zzbdr base_address = 0x11a0000 True 2
Fn
Get Filename - process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, file_name_orig = C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsAlloc, address_out = 0x74f9bea0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsSetValue, address_out = 0x74f92550 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = InitializeCriticalSectionEx, address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsGetValue, address_out = 0x74f870c0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f7ed00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75ea4ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75ea4b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75ea4b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75ea4b40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75efebc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitOnceExecuteOnce, address_out = 0x74f95550 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x75efeb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x75efeb90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x75efeb80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75ea6d30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x77bfd7c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x77bfb740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75ea6d70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x77bfc0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x77bfbe10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77c22b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77c152f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x75ea4510 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x74f9e260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75ea0db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleEx, address_out = 0x75ea43d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandle, address_out = 0x75eff110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x75eff1e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeConditionVariable, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WakeConditionVariable, address_out = 0x77c88c50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll address_out = 0x77c18a90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableCS, address_out = 0x7500fca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSRWLock, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AcquireSRWLockExclusive, address_out = 0x77bf58e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TryAcquireSRWLockExclusive, address_out = 0x77c72ce0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseSRWLockExclusive, address_out = 0x77bf83a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableSRW, address_out = 0x7500fcf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWork, address_out = 0x75ea6db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SubmitThreadpoolWork, address_out = 0x77bfeb00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWork, address_out = 0x77bfed50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x75ea7050 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x75ea7190 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x75ea7480 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateHardLinkW, address_out = 0x75ea44f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySection, address_out = 0x77c22220 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmStartSession, address_out = 0x744f7930 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmRegisterResources, address_out = 0x744f7660 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmGetList, address_out = 0x744f74f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtOpenFile, address_out = 0x77c22040 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtClose, address_out = 0x77c21de0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtReadFile, address_out = 0x77c21d50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtWriteFile, address_out = 0x77c21d70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitUnicodeString, address_out = 0x77c242f0 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x74f6b830 True 1
Fn
Map SM-zzbdrimp process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, desired_access = FILE_MAP_WRITE True 1
Fn
User (5)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
Lookup Privilege privilege = SeRestorePrivilege, luid = 18 True 1
Fn
Lookup Privilege privilege = SeLockMemoryPrivilege, luid = 4 True 1
Fn
Lookup Privilege privilege = SeCreateGlobalPrivilege, luid = 30 True 1
Fn
System (47)
»
Operation Additional Information Success Count Logfile
Get Time type = Performance Ctr, time = 25962840637 True 1
Fn
Get Time type = Performance Ctr, time = 26078217215 True 1
Fn
Get Time type = System Time True 22
Fn
Get Time type = Performance Ctr, time = 26089975703 True 1
Fn
Get Time type = Performance Ctr, time = 26207919042 True 1
Fn
Get Time type = Performance Ctr, time = 26210754933 True 1
Fn
Get Time type = Performance Ctr, time = 27567481822 True 1
Fn
Get Time type = Performance Ctr, time = 27596765295 True 1
Fn
Get Time type = Performance Ctr, time = 27761699681 True 1
Fn
Get Time type = Performance Ctr, time = 27772847726 True 1
Fn
Get Time type = Performance Ctr, time = 27795913785 True 1
Fn
Get Time type = Performance Ctr, time = 27809788711 True 1
Fn
Get Time type = Performance Ctr, time = 27874437315 True 1
Fn
Get Time type = Performance Ctr, time = 27899748460 True 1
Fn
Get Time type = Performance Ctr, time = 27977996527 True 1
Fn
Get Time type = Performance Ctr, time = 27997044005 True 1
Fn
Get Time type = Performance Ctr, time = 28135706298 True 1
Fn
Get Time type = Performance Ctr, time = 28156699479 True 1
Fn
Get Time type = Performance Ctr, time = 28368417315 True 1
Fn
Get Time type = Performance Ctr, time = 28379482031 True 1
Fn
Get Time type = Performance Ctr, time = 28453353826 True 1
Fn
Get Time type = Performance Ctr, time = 28478317647 True 1
Fn
Get Time type = Performance Ctr, time = 28564372215 True 1
Fn
Get Time type = Performance Ctr, time = 28585258422 True 1
Fn
Get Info type = Hardware Information True 2
Fn
Mutex (1381)
»
Operation Additional Information Success Count Logfile
Open mutex_name = MX-zzbdrimp, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Release mutex_name = MX-zzbdrimp True 1380
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Debug (10)
»
Operation Process Additional Information Success Count Logfile
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1043\SetupResources.dll True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1036\SetupResources.dll True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1044\SetupResources.dll True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1055\SetupResources.dll True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1033\SetupResources.dll True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1041\SetupResources.dll True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\Resources\en-US\bootres.dll.mui True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\2052\eula.rtf True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\2070\eula.rtf True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1035\eula.rtf True 1
Fn
Process #29: zzbdrimp5619.exe
1938 0
»
Information Value
ID #29
File Name c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe
Command Line C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:03:05, Reason: Child Process
Unmonitor End Time: 00:03:19, Reason: Self Terminated
Monitor Duration 00:00:14
OS Process Information
»
Information Value
PID 0xec8
Parent PID 0x4e4 (c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9F0
0x 15C
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\588bce7c90097ed212\DHtmlHeader.html.locked 15.88 KB MD5: b89f7a3563a9aaec038247313eb4878d
SHA1: 5c3b1fdae6fc4e8617e48c4b3379750603470879
SHA256: a1088b6669bde2f619c1f8e114ef56b0ed1f2d9071703bfb387d8a53068e69fb
SSDeep: 192:jRC8Dz3OSUlmZ84rAL89k3Poyg1xxswNKwedjTWbuG3RH6FJUSK9Ta255yAqiPL5:jM8H3+o8BhGktXvG0TK9IO0sK8Uq 		False
...
C:\588bce7c90097ed212\1042\SetupResources.dll.locked 14.98 KB MD5: 5f767a9f7b06071f9e523d35f2d71804
SHA1: 6072463822073b8db3891740862357da72f9e943
SHA256: 33a4abb7d08976c737e2e8fd136398960587e82cd96c5ed026d3ea12d02b4aa0
SSDeep: 384:H2a65G7paSvh31gRRbTDGdwaUFRtio23vwSfxNjWgA5P:H2aIG7ll1S7F3tY3hq/5P 		False
...
C:\588bce7c90097ed212\1042\eula.rtf.locked 12.53 KB MD5: fc6965aae0de996ed1fac55a6f63b0d4
SHA1: 29538a777c6a1dabe5ab7c54066f747dee89c4b6
SHA256: 3fe73f6afc08119023383750ae153ca76a5805caae51a9d68bb8b4fbed883f34
SSDeep: 384:Vr7CozefCV4o/7KbMeVaCCdI1BJgSz7j2:Vr7zV4yXe0mV3zf2 		False
...
C:\588bce7c90097ed212\1032\eula.rtf.locked 8.81 KB MD5: 244eaba75203f645746c5d1b8b54836f
SHA1: 2d8c4b6fb5d949a7dc7bffe6651fa438d48c5e53
SHA256: 7d129311d30383da1340134170b175e1afdbb10a83262bcc3d300186762b96e1
SSDeep: 192:QqUn1cHtpx3ungprY3n9V9ItN65+ixcATw+TYwcJpp+c4pB8:vuGb3+gprqdI76IixcAMUYky 		False
...
C:\588bce7c90097ed212\1028\eula.rtf.locked 6.31 KB MD5: 7b781edd5e5c0a54db47ad984b28520d
SHA1: ae8a3ea575a93f6f9d13d997164485cb78d703ae
SHA256: 7713b76d30ef544f2c0ab225e8242bbe4c6d141ec301dd3478050fc00a5660b5
SSDeep: 192:Ep9AywvY7YDCItVh926dRWc5Tkx4TnfewOmF8Eu:Ep95qclIfD267Wt+nWwOmF8Eu 		False
...
C:\588bce7c90097ed212\1045\eula.rtf.locked 4.09 KB MD5: cd029746449595c540d2600a30f71ece
SHA1: e362c33b13cbe960b90461e430eeb7eac9bdbaa0
SHA256: 11fc6c46cab470a0118687651d474007478b48ba9dca203e825160c5bb19da8d
SSDeep: 96:Z923LUD39JS5JIHECBUGEFHCnD8ncgujcDWfwcrAnVG/Z:30qsJIHECmV+8Cc6YcrOG/Z 		False
...
C:\588bce7c90097ed212\1029\eula.rtf.locked 3.78 KB MD5: 24e08fd9c9189e8746ac015fef612787
SHA1: 07dc31a92e03da6e8ddb4577c295e0ff1a57e5a8
SHA256: 573bb89d0e2a2dde35f59b0d9fe4c3be4b4047e15a3dfc73e9274ab2c999a107
SSDeep: 96:vexy3Mg+w6d1zvOF+uDFeXe88D9gywDpx4njCEYjr:v53RoDzvOocIMnw1YIn 		False
...
C:\588bce7c90097ed212\1046\eula.rtf.locked 3.74 KB MD5: e6f2a19301be64c47b6014407901566f
SHA1: 7a2860ffff03c856d115d3f16adbc81534e9194d
SHA256: 806ba6c27a9b0a841f060bd20f1f90ae122966be8d96101150f70124e240a326
SSDeep: 96:i4zUGdJPCRAPQqw5yoBZXbMHlwIG+B9wE2qoH:FzUGdJaaWHbMHc+B9wioH 		False
...
C:\588bce7c90097ed212\1043\eula.rtf.locked 3.61 KB MD5: ef0657700153c98b21db03c4272edf3e
SHA1: 604b7aa77ff29466af76234400f522cd0712dbcf
SHA256: 29430e1d56d4ca7ee96b814880cd9310d24f06bf9694dd22b6635b4e885d553f
SSDeep: 96:WqeBqWtZW9YmIfy9rj/GT9zkBlZtknjPuiHqxi1iEZ:WqgqWtZWm4rjOT+DZwSi6i1N 		False
...
C:\588bce7c90097ed212\1031\eula.rtf.locked 3.48 KB MD5: e7a8b20d1d507b9137f384259c7a744f
SHA1: e2866f4ffe4eee5c8b3a406c2a2fe4d83e7af43a
SHA256: e74d0a59390b18934109e8daf60cbf763f050649123a81ff8e1e96a4841e8c26
SSDeep: 96:wQbZ55DsiL6s47DAWm308Ynq9iq42WH75e3:waZLsiWT7D1qxz3 		False
...
C:\588bce7c90097ed212\Graphics\Save.ico.locked 1.27 KB MD5: 7b8d10a55a299a4a61dbfe091febb52c
SHA1: 168912ae516f433c8f8dbefcc88a3d76ad2e25c5
SHA256: ca2741afdddc2f2f64ecaff8bfec8f1bf565df3874508ed2994bd330b780ae1e
SSDeep: 24:abia/zagU85yuLF4vB3N15A0+bit9hya/aaxNtd/B8ntGPg:Y+gXyk+F5A0Nt9hxaaxNtd/BEgg 		False
...
Host Behavior
File (103)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\588bce7c90097ed212\DHtmlHeader.html type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\DHtmlHeader.html.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1042\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1042\SetupResources.dll.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1042\eula.rtf type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1042\eula.rtf.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1032\eula.rtf type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1032\eula.rtf.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1028\eula.rtf type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1028\eula.rtf.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1045\eula.rtf type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1045\eula.rtf.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1029\eula.rtf type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1029\eula.rtf.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1046\eula.rtf type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1046\eula.rtf.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1043\eula.rtf type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1043\eula.rtf.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1031\eula.rtf type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1031\eula.rtf.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\Graphics\Save.ico type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\Graphics\Save.ico.locked type = file_attributes False 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Open \??\\C:\588bce7c90097ed212\DHtmlHeader.html.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1042\SetupResources.dll.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1042\eula.rtf.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1032\eula.rtf.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1028\eula.rtf.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1045\eula.rtf.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1029\eula.rtf.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1046\eula.rtf.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1043\eula.rtf.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1031\eula.rtf.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\Graphics\Save.ico.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open Mapping SM-zzbdrimp desired_access = FILE_MAP_COPY, FILE_MAP_WRITE True 1
Fn
Move C:\588bce7c90097ed212\DHtmlHeader.html.locked source_filename = C:\588bce7c90097ed212\DHtmlHeader.html, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1042\SetupResources.dll.locked source_filename = C:\588bce7c90097ed212\1042\SetupResources.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1042\eula.rtf.locked source_filename = C:\588bce7c90097ed212\1042\eula.rtf, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1032\eula.rtf.locked source_filename = C:\588bce7c90097ed212\1032\eula.rtf, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1028\eula.rtf.locked source_filename = C:\588bce7c90097ed212\1028\eula.rtf, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1045\eula.rtf.locked source_filename = C:\588bce7c90097ed212\1045\eula.rtf, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1029\eula.rtf.locked source_filename = C:\588bce7c90097ed212\1029\eula.rtf, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1046\eula.rtf.locked source_filename = C:\588bce7c90097ed212\1046\eula.rtf, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1043\eula.rtf.locked source_filename = C:\588bce7c90097ed212\1043\eula.rtf, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1031\eula.rtf.locked source_filename = C:\588bce7c90097ed212\1031\eula.rtf, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\Graphics\Save.ico.locked source_filename = C:\588bce7c90097ed212\Graphics\Save.ico, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Read \??\\C:\588bce7c90097ed212\DHtmlHeader.html.locked size = 16118, size_out = 16118 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1042\SetupResources.dll.locked size = 15192, size_out = 15192 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1042\eula.rtf.locked size = 12687, size_out = 12687 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1032\eula.rtf.locked size = 8876, size_out = 8876 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1028\eula.rtf.locked size = 6309, size_out = 6309 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1045\eula.rtf.locked size = 4040, size_out = 4040 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1029\eula.rtf.locked size = 3726, size_out = 3726 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1046\eula.rtf.locked size = 3683, size_out = 3683 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1043\eula.rtf.locked size = 3546, size_out = 3546 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1031\eula.rtf.locked size = 3419, size_out = 3419 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\Graphics\Save.ico.locked size = 1150, size_out = 1150 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\DHtmlHeader.html.locked offset = 0, size = 16122 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\DHtmlHeader.html.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1042\SetupResources.dll.locked offset = 0, size = 15196 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1042\SetupResources.dll.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1042\eula.rtf.locked offset = 0, size = 12691 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1042\eula.rtf.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1032\eula.rtf.locked offset = 0, size = 8880 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1032\eula.rtf.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1028\eula.rtf.locked offset = 0, size = 6313 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1028\eula.rtf.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1045\eula.rtf.locked offset = 0, size = 4044 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1045\eula.rtf.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1029\eula.rtf.locked offset = 0, size = 3730 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1029\eula.rtf.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1046\eula.rtf.locked offset = 0, size = 3687 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1046\eula.rtf.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1043\eula.rtf.locked offset = 0, size = 3550 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1043\eula.rtf.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1031\eula.rtf.locked offset = 0, size = 3423 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1031\eula.rtf.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Graphics\Save.ico.locked offset = 0, size = 1154 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Graphics\Save.ico.locked size = 144 True 1
Fn
Data
Module (77)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load Rstrtmgr.dll base_address = 0x744f0000 True 1
Fn
Load ntdll.dll base_address = 0x77bb0000 True 1
Fn
Load api-ms-win-core-sysinfo-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75e90000 True 3
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77bb0000 True 1
Fn
Get Handle c:\users\fd1hvy\appdata\local\temp\zzbdr base_address = 0x11a0000 True 2
Fn
Get Filename - process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, file_name_orig = C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsAlloc, address_out = 0x74f9bea0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsSetValue, address_out = 0x74f92550 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = InitializeCriticalSectionEx, address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsGetValue, address_out = 0x74f870c0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f7ed00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75ea4ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75ea4b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75ea4b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75ea4b40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75efebc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitOnceExecuteOnce, address_out = 0x74f95550 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x75efeb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x75efeb90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x75efeb80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75ea6d30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x77bfd7c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x77bfb740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75ea6d70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x77bfc0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x77bfbe10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77c22b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77c152f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x75ea4510 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x74f9e260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75ea0db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleEx, address_out = 0x75ea43d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandle, address_out = 0x75eff110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x75eff1e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeConditionVariable, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WakeConditionVariable, address_out = 0x77c88c50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll address_out = 0x77c18a90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableCS, address_out = 0x7500fca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSRWLock, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AcquireSRWLockExclusive, address_out = 0x77bf58e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TryAcquireSRWLockExclusive, address_out = 0x77c72ce0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseSRWLockExclusive, address_out = 0x77bf83a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableSRW, address_out = 0x7500fcf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWork, address_out = 0x75ea6db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SubmitThreadpoolWork, address_out = 0x77bfeb00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWork, address_out = 0x77bfed50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x75ea7050 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x75ea7190 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x75ea7480 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateHardLinkW, address_out = 0x75ea44f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySection, address_out = 0x77c22220 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmStartSession, address_out = 0x744f7930 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmRegisterResources, address_out = 0x744f7660 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmGetList, address_out = 0x744f74f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtOpenFile, address_out = 0x77c22040 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtClose, address_out = 0x77c21de0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtReadFile, address_out = 0x77c21d50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtWriteFile, address_out = 0x77c21d70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitUnicodeString, address_out = 0x77c242f0 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x74f6b830 True 1
Fn
Map SM-zzbdrimp process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, desired_access = FILE_MAP_WRITE True 1
Fn
User (5)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
Lookup Privilege privilege = SeRestorePrivilege, luid = 18 True 1
Fn
Lookup Privilege privilege = SeLockMemoryPrivilege, luid = 4 True 1
Fn
Lookup Privilege privilege = SeCreateGlobalPrivilege, luid = 30 True 1
Fn
System (47)
»
Operation Additional Information Success Count Logfile
Get Time type = Performance Ctr, time = 27766593468 True 1
Fn
Get Time type = Performance Ctr, time = 27905217880 True 1
Fn
Get Time type = System Time True 22
Fn
Get Time type = Performance Ctr, time = 27916367447 True 1
Fn
Get Time type = Performance Ctr, time = 27950799499 True 1
Fn
Get Time type = Performance Ctr, time = 27995968534 True 1
Fn
Get Time type = Performance Ctr, time = 28034528156 True 1
Fn
Get Time type = Performance Ctr, time = 28063940026 True 1
Fn
Get Time type = Performance Ctr, time = 28149292731 True 1
Fn
Get Time type = Performance Ctr, time = 28178711303 True 1
Fn
Get Time type = Performance Ctr, time = 28335497752 True 1
Fn
Get Time type = Performance Ctr, time = 28361328145 True 1
Fn
Get Time type = Performance Ctr, time = 28448016158 True 1
Fn
Get Time type = Performance Ctr, time = 28470410783 True 1
Fn
Get Time type = Performance Ctr, time = 28548018384 True 1
Fn
Get Time type = Performance Ctr, time = 28570442475 True 1
Fn
Get Time type = Performance Ctr, time = 28602538209 True 1
Fn
Get Time type = Performance Ctr, time = 28612330769 True 1
Fn
Get Time type = Performance Ctr, time = 28685139588 True 1
Fn
Get Time type = Performance Ctr, time = 28696399992 True 1
Fn
Get Time type = Performance Ctr, time = 28785763652 True 1
Fn
Get Time type = Performance Ctr, time = 28807631456 True 1
Fn
Get Time type = Performance Ctr, time = 28893774744 True 1
Fn
Get Time type = Performance Ctr, time = 28910233032 True 1
Fn
Get Info type = Hardware Information True 2
Fn
Mutex (1674)
»
Operation Additional Information Success Count Logfile
Open mutex_name = MX-zzbdrimp, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Release mutex_name = MX-zzbdrimp True 1673
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Debug (11)
»
Operation Process Additional Information Success Count Logfile
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\DHtmlHeader.html True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1042\SetupResources.dll True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1042\eula.rtf True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1032\eula.rtf True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1028\eula.rtf True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1045\eula.rtf True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1029\eula.rtf True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1046\eula.rtf True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1043\eula.rtf True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1031\eula.rtf True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\Graphics\Save.ico True 1
Fn
Process #30: zzbdrimp5619.exe
2060 0
»
Information Value
ID #30
File Name c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe
Command Line C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:03:06, Reason: Child Process
Unmonitor End Time: 00:03:23, Reason: Self Terminated
Monitor Duration 00:00:16
OS Process Information
»
Information Value
PID 0x6dc
Parent PID 0x4e4 (c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 7CC
0x D98
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\588bce7c90097ed212\2052\SetupResources.dll.locked 13.98 KB MD5: 9bbd578f9979ce279b311bd88c7ac60d
SHA1: 78e25963c80f72034c3776c9d2123fb8e52f0487
SHA256: 6b6054dfbcf432b95257e7cc705cc950a196d0ae291ce06480096a373999c325
SSDeep: 384:yU/MW6k5h+jIbJDO4xhdX9QeqqFEMsc50mds51DH8FhsIecm:QkPGcE4pXR0mC2LsIC 		False
...
C:\588bce7c90097ed212\1041\eula.rtf.locked 10.03 KB MD5: 88f8b5bb2163fe833ab78fb801a8bd36
SHA1: 865a840f6ef1421339dc43d0e5b290bb1d7ab5f6
SHA256: fe6eaaa26346de5dab8ab0f2f4b911331e05e642ed8f679a60062542eae7d095
SSDeep: 192:XFuPKFAwLHPgu3JdkN1NgNdc7XqkCIwNo65biVEQWi2V:XFDvHYuAuLIXqnIT65QE8+ 		False
...
C:\588bce7c90097ed212\1025\eula.rtf.locked 7.53 KB MD5: e22e60ef0d1e01e836111c9e2ebff843
SHA1: 4fb6eb20a6f5dd84113203b68b8552913ea366ea
SHA256: 0a1028ac296c9f5293f5329b3a9efc10da5df3086c8b917e61baf9f21634845d
SSDeep: 192:taS2M0GcsqclKroVUau0K3d33g3KjRoW9SIZzAR/cqR4:TZ+s50rGkXg3KjGW9SIA/PR4 		False
...
C:\588bce7c90097ed212\3076\eula.rtf.locked 6.31 KB MD5: 4a1881e6a75a0d5b3d78e02fd67d10ee
SHA1: 765744dce0962a208ec96ce24fd09a86c365b5e1
SHA256: 25c72b43170ad3b8a867e8ab03e7fa2865814c48cb4473a608f13ef395341333
SSDeep: 192:fQFNU9bGFayNbFuF3g8xmCCZHx2eJmqsikp:fQFNqbSayDWgQrPqnS 		False
...
C:\588bce7c90097ed212\1038\eula.rtf.locked 4.30 KB MD5: 8cead3d2c97ce32196c0dc5a5903ef2e
SHA1: c5f52d46de21c883a451efeaa100ad90a41cd515
SHA256: bccbe889e51f82ea3aecb30c25b09a602013310df0be039903150cda5439e032
SSDeep: 96:0ffR7dXcKbXHCL5kzDVUhtQbA/zy/JISgSO:0NdMkTDauAry4SO 		False
...
C:\588bce7c90097ed212\1055\eula.rtf.locked 3.91 KB MD5: 3880b8ed3ae9663cbe2afdfc305ea375
SHA1: 1bd036aaed5e67046d39cd105131f15a4ad5f2a4
SHA256: 3610045a06718bfdfe5229ab3268ac4fd56b41beb7422af771a7de9753a457a5
SSDeep: 96:lnKorSsYkDJQiwDCo+n1LDqKHplwnJL+cTeB54wxRwtE:nZLDJbwDCo+nRqKPeL73Y0E 		False
...
C:\588bce7c90097ed212\header.bmp.locked 3.69 KB MD5: d5deb4872c84bac4d07239f334fe6a44
SHA1: 427109e393cd990fb7c9305526bc5a4b41bb5fd5
SHA256: 69cc16ff5e6a5ed673478e384a037cff29ca249052fbe64240893422b794636f
SSDeep: 96:Kx44CcTscUgUDF53XvAI2nYT10CQS43mvUUTK:Mv4cUVF5/Ta3me 		False
...
C:\588bce7c90097ed212\3082\eula.rtf.locked 3.14 KB MD5: e707e1ea6c18037207df76706125bbbc
SHA1: 65e5c36b4073761168c3f9b9302be88cfc1a3147
SHA256: 8ace0d40f8363cc8c05d07f984bd51c28a7508d16cbefbbb6e50d02609e3f328
SSDeep: 96:7/iYg+/FGk0uO2eUaiX7ShzhQcUuPzEhm:LvgOFGkfeUazhQIzP 		False
...
C:\588bce7c90097ed212\Graphics\Print.ico.locked 1.27 KB MD5: 410d01d1f6ecb9ef1762c8247a620602
SHA1: ef104854f0d573bd66bb63c8baa025d087f8e8dd
SHA256: 718fefe46bd06fbe82d838f6633bbacb96dfdd230d9509fb5afe975893125859
SSDeep: 24:FtyBLSV+SdEjF3LdKtzDoTkGKWQQ9Uvr0PGuRJMqeDwAulsuF6HwnVKLoQ9ZdfvG:QLSVPA7SKO8R5O9uvJscQ9/fvfxqX 		False
...
C:\588bce7c90097ed212\Graphics\Rotate6.ico.locked 1.02 KB MD5: ba2ad8610f8e7180de25043cb7010db2
SHA1: 51b1bfb4fbc2b41ae7ee86abb0c55c818eed2db5
SHA256: 7c54bca594c54c2e90012f133d00ea898086a8ce7e11263a7e2551ddc250ca46
SSDeep: 24:FiR4C2MFePWY8G1cXQiuzrKN84KZCNS3S/qHCf:EFI8G1CtQkAiqif 		False
...
C:\588bce7c90097ed212\Graphics\Rotate3.ico.locked 1.02 KB MD5: abf4fe48090af7af377cc2af33fec6eb
SHA1: 7a4b41ede2e1024195b35a5729525570ae4759ae
SHA256: 5e158e333f229a78017246751e731548fe0d5e52de81387eb7ac450e4021961f
SSDeep: 24:1SLb97dv714fPG+NHW6su132QLoUnz1bSsS/GcDYr:qtp7+fu+lW6sG32QsUz1bSsiGUYr 		False
...
Host Behavior
File (103)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\588bce7c90097ed212\2052\SetupResources.dll type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\2052\SetupResources.dll.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1041\eula.rtf type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1041\eula.rtf.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1025\eula.rtf type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1025\eula.rtf.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\3076\eula.rtf type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\3076\eula.rtf.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1038\eula.rtf type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1038\eula.rtf.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1055\eula.rtf type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1055\eula.rtf.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\header.bmp type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\header.bmp.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\3082\eula.rtf type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\3082\eula.rtf.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\Graphics\Print.ico type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\Graphics\Print.ico.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\Graphics\Rotate6.ico type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\Graphics\Rotate6.ico.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\Graphics\Rotate3.ico type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\Graphics\Rotate3.ico.locked type = file_attributes False 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Open \??\\C:\588bce7c90097ed212\2052\SetupResources.dll.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1041\eula.rtf.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1025\eula.rtf.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\3076\eula.rtf.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1038\eula.rtf.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1055\eula.rtf.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\header.bmp.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\3082\eula.rtf.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\Graphics\Print.ico.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\Graphics\Rotate6.ico.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\Graphics\Rotate3.ico.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open Mapping SM-zzbdrimp desired_access = FILE_MAP_COPY, FILE_MAP_WRITE True 1
Fn
Move C:\588bce7c90097ed212\2052\SetupResources.dll.locked source_filename = C:\588bce7c90097ed212\2052\SetupResources.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1041\eula.rtf.locked source_filename = C:\588bce7c90097ed212\1041\eula.rtf, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1025\eula.rtf.locked source_filename = C:\588bce7c90097ed212\1025\eula.rtf, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\3076\eula.rtf.locked source_filename = C:\588bce7c90097ed212\3076\eula.rtf, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1038\eula.rtf.locked source_filename = C:\588bce7c90097ed212\1038\eula.rtf, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1055\eula.rtf.locked source_filename = C:\588bce7c90097ed212\1055\eula.rtf, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\header.bmp.locked source_filename = C:\588bce7c90097ed212\header.bmp, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\3082\eula.rtf.locked source_filename = C:\588bce7c90097ed212\3082\eula.rtf, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\Graphics\Print.ico.locked source_filename = C:\588bce7c90097ed212\Graphics\Print.ico, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\Graphics\Rotate6.ico.locked source_filename = C:\588bce7c90097ed212\Graphics\Rotate6.ico, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\Graphics\Rotate3.ico.locked source_filename = C:\588bce7c90097ed212\Graphics\Rotate3.ico, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Read \??\\C:\588bce7c90097ed212\2052\SetupResources.dll.locked size = 14168, size_out = 14168 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1041\eula.rtf.locked size = 10125, size_out = 10125 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1025\eula.rtf.locked size = 7567, size_out = 7567 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\3076\eula.rtf.locked size = 6309, size_out = 6309 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1038\eula.rtf.locked size = 4254, size_out = 4254 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1055\eula.rtf.locked size = 3859, size_out = 3859 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\header.bmp.locked size = 3628, size_out = 3628 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\3082\eula.rtf.locked size = 3069, size_out = 3069 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\Graphics\Print.ico.locked size = 1150, size_out = 1150 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\Graphics\Rotate6.ico.locked size = 894, size_out = 894 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\Graphics\Rotate3.ico.locked size = 894, size_out = 894 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\2052\SetupResources.dll.locked offset = 0, size = 14172 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\2052\SetupResources.dll.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1041\eula.rtf.locked offset = 0, size = 10129 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1041\eula.rtf.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1025\eula.rtf.locked offset = 0, size = 7571 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1025\eula.rtf.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\3076\eula.rtf.locked offset = 0, size = 6313 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\3076\eula.rtf.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1038\eula.rtf.locked offset = 0, size = 4258 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1038\eula.rtf.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1055\eula.rtf.locked offset = 0, size = 3863 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1055\eula.rtf.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\header.bmp.locked offset = 0, size = 3632 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\header.bmp.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\3082\eula.rtf.locked offset = 0, size = 3073 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\3082\eula.rtf.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Graphics\Print.ico.locked offset = 0, size = 1154 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Graphics\Print.ico.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Graphics\Rotate6.ico.locked offset = 0, size = 898 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Graphics\Rotate6.ico.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Graphics\Rotate3.ico.locked offset = 0, size = 898 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Graphics\Rotate3.ico.locked size = 144 True 1
Fn
Data
Module (77)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load Rstrtmgr.dll base_address = 0x744f0000 True 1
Fn
Load ntdll.dll base_address = 0x77bb0000 True 1
Fn
Load api-ms-win-core-sysinfo-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75e90000 True 3
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77bb0000 True 1
Fn
Get Handle c:\users\fd1hvy\appdata\local\temp\zzbdr base_address = 0x11a0000 True 2
Fn
Get Filename - process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, file_name_orig = C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsAlloc, address_out = 0x74f9bea0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsSetValue, address_out = 0x74f92550 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = InitializeCriticalSectionEx, address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsGetValue, address_out = 0x74f870c0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f7ed00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75ea4ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75ea4b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75ea4b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75ea4b40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75efebc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitOnceExecuteOnce, address_out = 0x74f95550 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x75efeb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x75efeb90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x75efeb80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75ea6d30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x77bfd7c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x77bfb740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75ea6d70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x77bfc0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x77bfbe10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77c22b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77c152f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x75ea4510 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x74f9e260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75ea0db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleEx, address_out = 0x75ea43d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandle, address_out = 0x75eff110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x75eff1e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeConditionVariable, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WakeConditionVariable, address_out = 0x77c88c50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll address_out = 0x77c18a90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableCS, address_out = 0x7500fca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSRWLock, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AcquireSRWLockExclusive, address_out = 0x77bf58e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TryAcquireSRWLockExclusive, address_out = 0x77c72ce0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseSRWLockExclusive, address_out = 0x77bf83a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableSRW, address_out = 0x7500fcf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWork, address_out = 0x75ea6db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SubmitThreadpoolWork, address_out = 0x77bfeb00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWork, address_out = 0x77bfed50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x75ea7050 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x75ea7190 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x75ea7480 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateHardLinkW, address_out = 0x75ea44f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySection, address_out = 0x77c22220 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmStartSession, address_out = 0x744f7930 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmRegisterResources, address_out = 0x744f7660 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmGetList, address_out = 0x744f74f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtOpenFile, address_out = 0x77c22040 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtClose, address_out = 0x77c21de0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtReadFile, address_out = 0x77c21d50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtWriteFile, address_out = 0x77c21d70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitUnicodeString, address_out = 0x77c242f0 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x74f6b830 True 1
Fn
Map SM-zzbdrimp process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, desired_access = FILE_MAP_WRITE True 1
Fn
User (5)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
Lookup Privilege privilege = SeRestorePrivilege, luid = 18 True 1
Fn
Lookup Privilege privilege = SeLockMemoryPrivilege, luid = 4 True 1
Fn
Lookup Privilege privilege = SeCreateGlobalPrivilege, luid = 30 True 1
Fn
System (47)
»
Operation Additional Information Success Count Logfile
Get Time type = Performance Ctr, time = 27913524093 True 1
Fn
Get Time type = Performance Ctr, time = 28001747054 True 1
Fn
Get Time type = System Time True 22
Fn
Get Time type = Performance Ctr, time = 28058659007 True 1
Fn
Get Time type = Performance Ctr, time = 28109021923 True 1
Fn
Get Time type = Performance Ctr, time = 28155742811 True 1
Fn
Get Time type = Performance Ctr, time = 28189969408 True 1
Fn
Get Time type = Performance Ctr, time = 28206941712 True 1
Fn
Get Time type = Performance Ctr, time = 28331143221 True 1
Fn
Get Time type = Performance Ctr, time = 28364946497 True 1
Fn
Get Time type = Performance Ctr, time = 28444545522 True 1
Fn
Get Time type = Performance Ctr, time = 28466497693 True 1
Fn
Get Time type = Performance Ctr, time = 28545277467 True 1
Fn
Get Time type = Performance Ctr, time = 28574268776 True 1
Fn
Get Time type = Performance Ctr, time = 28682718417 True 1
Fn
Get Time type = Performance Ctr, time = 28694917751 True 1
Fn
Get Time type = Performance Ctr, time = 28802405323 True 1
Fn
Get Time type = Performance Ctr, time = 28818523527 True 1
Fn
Get Time type = Performance Ctr, time = 28888360476 True 1
Fn
Get Time type = Performance Ctr, time = 28906281042 True 1
Fn
Get Time type = Performance Ctr, time = 29036137317 True 1
Fn
Get Time type = Performance Ctr, time = 29046863362 True 1
Fn
Get Time type = Performance Ctr, time = 29132414419 True 1
Fn
Get Time type = Performance Ctr, time = 29160316634 True 1
Fn
Get Info type = Hardware Information True 2
Fn
Mutex (1796)
»
Operation Additional Information Success Count Logfile
Open mutex_name = MX-zzbdrimp, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Release mutex_name = MX-zzbdrimp True 1795
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Debug (11)
»
Operation Process Additional Information Success Count Logfile
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\2052\SetupResources.dll True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1041\eula.rtf True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1025\eula.rtf True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\3076\eula.rtf True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1038\eula.rtf True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1055\eula.rtf True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\header.bmp True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\3082\eula.rtf True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\Graphics\Print.ico True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\Graphics\Rotate6.ico True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\Graphics\Rotate3.ico True 1
Fn
Process #31: zzbdrimp5619.exe
1265 0
»
Information Value
ID #31
File Name c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe
Command Line C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:03:09, Reason: Child Process
Unmonitor End Time: 00:03:31, Reason: Self Terminated
Monitor Duration 00:00:22
OS Process Information
»
Information Value
PID 0xf9c
Parent PID 0x4e4 (c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x DEC
0x EDC
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\$GetCurrent\Logs\oobe_2017_09_07_03_08_57_737.log.locked 6.01 KB MD5: 2f4e7e7c37c70fedfb8891ae60b6e450
SHA1: 1d9bb92df16092a76a692a13d2df33a77d6fc8dc
SHA256: 8d7f5291358ed06da71c8782c8a3d3437fd770dfc1fecee764aec4864cb87a0a
SSDeep: 192:FKuOY4ThU3ybIgDSN/h3QRI7PGZm0HR30BBYLLLf:FK24t3EgeN/hQRAPGZrHR3Tbf 		False
...
C:\Boot\updaterevokesipolicy.p7b.locked 4.70 KB MD5: d37122c1ccb36d4c883d5285a8082b2a
SHA1: 0dd0bb4bbc064c30cffe6d60f07579f3c0118d34
SHA256: 029374db97f14757d2a054b586d4f4c8318c6e2b433b7343725b51d4b33abbd7
SSDeep: 96:+n9HC7iA6w2ahVRJpD5em7mYDt1w5OQhClEphwhK1ekVJ56YCYP7:+pCJ6X4TDtNDKOXlEphokVhCY7 		False
...
C:\588bce7c90097ed212\1040\eula.rtf.locked 3.70 KB MD5: 5094c6196587e578983277dc7c9fd833
SHA1: 2b7032adfdef9a8f8c982425c37e2b82f2398f3b
SHA256: d14881fe7a46d60c639776719cf0a17a589610cf4048346163c4ccede596f867
SSDeep: 96:o7jd68oBG/+IO92PljUS9T2hP3n50fnNzG2FodsP0hvq:o/d6A1PltTxfnN3CThvq 		False
...
C:\588bce7c90097ed212\1030\eula.rtf.locked 3.38 KB MD5: eebf598c2bebe9124eeb40860a708621
SHA1: 91fb90f5d6d6c3197172c3b26d6e09db0d07a68f
SHA256: 71ea5f3014ee009ac2bc6b52dc03a083da2c8ef73e281b27445041d5578314c6
SSDeep: 96:wLkOy5sQD8KGRpj85395ac3zBWbPRoOsd7oM3s0b:qktD8BpQxJoPRYd13s0b 		False
...
C:\588bce7c90097ed212\Graphics\SysReqNotMet.ico.locked 1.27 KB MD5: bb5ee8c99bdec6ce0d87ef2b927f6cfc
SHA1: a48369d60acbc628ab0b521bf3eb91830655aa05
SHA256: d5d86031166b8dfbd8b2448950b7f92be36054adf88c4e9ca465d4ee119c749a
SSDeep: 24:lULlmFsWqeSQqLPqdMq1cVT6I7nNOx2FS5v7nfmX6LnXQYbl:lTeWatJ6ILs2FqDn5LXQYB 		False
...
C:\588bce7c90097ed212\Graphics\Rotate2.ico.locked 1.02 KB MD5: 0065fb84b120774f5ba53a2157880ceb
SHA1: b225ca78b0770606217cd75fb3ffbce9a6cbdbcb
SHA256: fc67bd5ce401504bb903ef944549f9abf395bd054322ba703b6ec7d4dcd28ae1
SSDeep: 24:36ACe0ro9l2/zTxD2C0JlGI8zkKAQ8kPEtJGGvNaW8XDCS/CQnvNwBG:3609l27tyCIlGI0NqGGv8WqDCiCQnvWo 		False
...
C:\$GetCurrent\SafeOS\SetupComplete.cmd.locked 0.44 KB MD5: 95dc1fa0fcf5b39f2576d8493f3ca7e9
SHA1: 3fb03556cf0566d0435d2b71be66b8d093539d6e
SHA256: 87ff0dbf9ed00bced2fd8c0182224e5cec7aff5dc4efa28870f052caa64209b7
SSDeep: 6:6O5VDLkLiaMm9wLoM5HqVNrUxYbn/fEXxWMqwGylJ9Got85xJ/FYGI1JkeXCmiqq:6OYLoK+BgrTEBawLsPN1I1RymynNFhUM 		False
...
C:\Program Files\Microsoft Office\root\Office16\1033\BHOINTL.DLL.locked 12.09 KB MD5: 512799f1aeb32191cd7b9eec683e553b
SHA1: 5dba8827da185bd06dc25906e1fc730cd8203600
SHA256: 011cce94073b31ba9ac0aea6c0986dc66b1b2aaac49017baa05731ab3382fa0a
SSDeep: 192:adI273qkZWSJoZGirUtskJftrlR4Q+Nu1SqJ3c:aT3qkIE2xrURlpKu1Fs 		False
...
C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBE7.DLL.locked 4.18 MB MD5: 654af4ab686e82198c2f10137537f0a2
SHA1: fda9388dd1d24429c7203fb68f83f0f5ef7d8bf2
SHA256: a9a07454eba135665f62ea7d97f35de974f74a9f9361650c726fdf4a0c72ee54
SSDeep: 98304:o6uT1MugaqUqMwWXGxSb1nPkI16jiPPhbwNz4:g1McqUuWXGI1Pka6ywNz4 		False
...
Host Behavior
File (71)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\$GetCurrent\Logs\oobe_2017_09_07_03_08_57_737.log type = file_attributes True 3
Fn
Get Info C:\$GetCurrent\Logs\oobe_2017_09_07_03_08_57_737.log.locked type = file_attributes False 1
Fn
Get Info C:\Boot\updaterevokesipolicy.p7b type = file_attributes True 3
Fn
Get Info C:\Boot\updaterevokesipolicy.p7b.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1040\eula.rtf type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1040\eula.rtf.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1030\eula.rtf type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1030\eula.rtf.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\Graphics\SysReqNotMet.ico type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\Graphics\SysReqNotMet.ico.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\Graphics\Rotate2.ico type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\Graphics\Rotate2.ico.locked type = file_attributes False 1
Fn
Get Info C:\$GetCurrent\SafeOS\SetupComplete.cmd type = file_attributes True 3
Fn
Get Info C:\$GetCurrent\SafeOS\SetupComplete.cmd.locked type = file_attributes False 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Open \??\\C:\$GetCurrent\Logs\oobe_2017_09_07_03_08_57_737.log.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Boot\updaterevokesipolicy.p7b.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1040\eula.rtf.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1030\eula.rtf.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\Graphics\SysReqNotMet.ico.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\Graphics\Rotate2.ico.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\$GetCurrent\SafeOS\SetupComplete.cmd.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open Mapping SM-zzbdrimp desired_access = FILE_MAP_COPY, FILE_MAP_WRITE True 1
Fn
Move C:\$GetCurrent\Logs\oobe_2017_09_07_03_08_57_737.log.locked source_filename = C:\$GetCurrent\Logs\oobe_2017_09_07_03_08_57_737.log, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Boot\updaterevokesipolicy.p7b.locked source_filename = C:\Boot\updaterevokesipolicy.p7b, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1040\eula.rtf.locked source_filename = C:\588bce7c90097ed212\1040\eula.rtf, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1030\eula.rtf.locked source_filename = C:\588bce7c90097ed212\1030\eula.rtf, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\Graphics\SysReqNotMet.ico.locked source_filename = C:\588bce7c90097ed212\Graphics\SysReqNotMet.ico, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\Graphics\Rotate2.ico.locked source_filename = C:\588bce7c90097ed212\Graphics\Rotate2.ico, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\$GetCurrent\SafeOS\SetupComplete.cmd.locked source_filename = C:\$GetCurrent\SafeOS\SetupComplete.cmd, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\Microsoft Office\root\Office16\1033\BHOINTL.DLL.locked source_filename = C:\Program Files\Microsoft Office\root\Office16\1033\BHOINTL.DLL, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBE7.DLL.locked source_filename = C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBE7.DLL, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\Help\1046\hxdsui.dll.locked source_filename = C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\Help\1046\hxdsui.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-utility-l1-1-0.dll.locked source_filename = C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\api-ms-win-crt-utility-l1-1-0.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Read \??\\C:\$GetCurrent\Logs\oobe_2017_09_07_03_08_57_737.log.locked size = 6004, size_out = 6004 True 1
Fn
Data
Read \??\\C:\Boot\updaterevokesipolicy.p7b.locked size = 4662, size_out = 4662 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1040\eula.rtf.locked size = 3643, size_out = 3643 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1030\eula.rtf.locked size = 3314, size_out = 3314 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\Graphics\SysReqNotMet.ico.locked size = 1150, size_out = 1150 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\Graphics\Rotate2.ico.locked size = 894, size_out = 894 True 1
Fn
Data
Read \??\\C:\$GetCurrent\SafeOS\SetupComplete.cmd.locked size = 307, size_out = 307 True 1
Fn
Data
Write \??\\C:\$GetCurrent\Logs\oobe_2017_09_07_03_08_57_737.log.locked offset = 0, size = 6008 True 1
Fn
Data
Write \??\\C:\$GetCurrent\Logs\oobe_2017_09_07_03_08_57_737.log.locked size = 144 True 1
Fn
Data
Write \??\\C:\Boot\updaterevokesipolicy.p7b.locked offset = 0, size = 4666 True 1
Fn
Data
Write \??\\C:\Boot\updaterevokesipolicy.p7b.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1040\eula.rtf.locked offset = 0, size = 3647 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1040\eula.rtf.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1030\eula.rtf.locked offset = 0, size = 3318 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1030\eula.rtf.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Graphics\SysReqNotMet.ico.locked offset = 0, size = 1154 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Graphics\SysReqNotMet.ico.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Graphics\Rotate2.ico.locked offset = 0, size = 898 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Graphics\Rotate2.ico.locked size = 144 True 1
Fn
Data
Write \??\\C:\$GetCurrent\SafeOS\SetupComplete.cmd.locked offset = 0, size = 311 True 1
Fn
Data
Write \??\\C:\$GetCurrent\SafeOS\SetupComplete.cmd.locked size = 144 True 1
Fn
Data
Module (80)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load Rstrtmgr.dll base_address = 0x744f0000 True 1
Fn
Load ntdll.dll base_address = 0x77bb0000 True 1
Fn
Load api-ms-win-core-sysinfo-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load api-ms-win-appmodel-runtime-l1-1-1 base_address = 0x75ba0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75e90000 True 3
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77bb0000 True 1
Fn
Get Handle c:\users\fd1hvy\appdata\local\temp\zzbdr base_address = 0x11a0000 True 2
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename - process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, file_name_orig = C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsAlloc, address_out = 0x74f9bea0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsSetValue, address_out = 0x74f92550 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = InitializeCriticalSectionEx, address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsGetValue, address_out = 0x74f870c0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f7ed00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75ea4ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75ea4b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75ea4b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75ea4b40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75efebc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitOnceExecuteOnce, address_out = 0x74f95550 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x75efeb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x75efeb90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x75efeb80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75ea6d30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x77bfd7c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x77bfb740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75ea6d70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x77bfc0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x77bfbe10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77c22b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77c152f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x75ea4510 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x74f9e260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75ea0db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleEx, address_out = 0x75ea43d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandle, address_out = 0x75eff110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x75eff1e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeConditionVariable, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WakeConditionVariable, address_out = 0x77c88c50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll address_out = 0x77c18a90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableCS, address_out = 0x7500fca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSRWLock, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AcquireSRWLockExclusive, address_out = 0x77bf58e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TryAcquireSRWLockExclusive, address_out = 0x77c72ce0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseSRWLockExclusive, address_out = 0x77bf83a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableSRW, address_out = 0x7500fcf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWork, address_out = 0x75ea6db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SubmitThreadpoolWork, address_out = 0x77bfeb00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWork, address_out = 0x77bfed50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x75ea7050 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x75ea7190 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x75ea7480 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateHardLinkW, address_out = 0x75ea44f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySection, address_out = 0x77c22220 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmStartSession, address_out = 0x744f7930 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmRegisterResources, address_out = 0x744f7660 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmGetList, address_out = 0x744f74f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtOpenFile, address_out = 0x77c22040 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtClose, address_out = 0x77c21de0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtReadFile, address_out = 0x77c21d50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtWriteFile, address_out = 0x77c21d70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitUnicodeString, address_out = 0x77c242f0 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x74f6b830 True 1
Fn
Get Address c:\windows\syswow64\kernel.appcore.dll function = GetCurrentPackageId, address_out = 0x75ba3510 True 1
Fn
Map SM-zzbdrimp process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, desired_access = FILE_MAP_WRITE True 1
Fn
User (5)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
Lookup Privilege privilege = SeRestorePrivilege, luid = 18 True 1
Fn
Lookup Privilege privilege = SeLockMemoryPrivilege, luid = 4 True 1
Fn
Lookup Privilege privilege = SeCreateGlobalPrivilege, luid = 30 True 1
Fn
System (39)
»
Operation Additional Information Success Count Logfile
Get Time type = Performance Ctr, time = 28204850772 True 1
Fn
Get Time type = Performance Ctr, time = 28338088405 True 1
Fn
Get Time type = System Time True 18
Fn
Get Time type = Performance Ctr, time = 28366403717 True 1
Fn
Get Time type = Performance Ctr, time = 28539363627 True 1
Fn
Get Time type = Performance Ctr, time = 28565162060 True 1
Fn
Get Time type = Performance Ctr, time = 28650086313 True 1
Fn
Get Time type = Performance Ctr, time = 28674971960 True 1
Fn
Get Time type = Performance Ctr, time = 28788857858 True 1
Fn
Get Time type = Performance Ctr, time = 28814387702 True 1
Fn
Get Time type = Performance Ctr, time = 28884363510 True 1
Fn
Get Time type = Performance Ctr, time = 28908722841 True 1
Fn
Get Time type = Performance Ctr, time = 29134333026 True 1
Fn
Get Time type = Performance Ctr, time = 29165450318 True 1
Fn
Get Time type = Performance Ctr, time = 29217568671 True 1
Fn
Get Time type = Performance Ctr, time = 29236931698 True 1
Fn
Get Time type = Performance Ctr, time = 29341178201 True 1
Fn
Get Time type = Performance Ctr, time = 29753690135 True 1
Fn
Get Time type = Performance Ctr, time = 29919254654 True 1
Fn
Get Time type = Performance Ctr, time = 30019359109 True 1
Fn
Get Info type = Hardware Information True 2
Fn
Mutex (1047)
»
Operation Additional Information Success Count Logfile
Open mutex_name = MX-zzbdrimp, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Release mutex_name = MX-zzbdrimp True 1046
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Debug (7)
»
Operation Process Additional Information Success Count Logfile
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\$GetCurrent\Logs\oobe_2017_09_07_03_08_57_737.log True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Boot\updaterevokesipolicy.p7b True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1040\eula.rtf True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1030\eula.rtf True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\Graphics\SysReqNotMet.ico True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\Graphics\Rotate2.ico True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\$GetCurrent\SafeOS\SetupComplete.cmd True 1
Fn
Process #32: zzbdrimp5619.exe
2166 0
»
Information Value
ID #32
File Name c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe
Command Line C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:03:13, Reason: Child Process
Unmonitor End Time: 00:03:35, Reason: Self Terminated
Monitor Duration 00:00:21
OS Process Information
»
Information Value
PID 0xf60
Parent PID 0x4e4 (c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 824
0x 2AC
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\588bce7c90097ed212\1036\eula.rtf.locked 3.59 KB MD5: f159fb3b14bd60df135c374473335aa5
SHA1: 5c365e7e64ba246a9b69988d34bd5ed9e4b8b564
SHA256: ff2d0908cc938d86da782efca16ea4d6857f17c48d4ef7a6fb1d0d6c844d70f5
SSDeep: 96:1HUls7saRgk6wFeThed098aUje7Xzg+sSLkA7eO3FX+tMsBo6:al2saRjucaUje7XzgtSZyOVqo6 		False
...
C:\588bce7c90097ed212\1033\eula.rtf.locked 3.26 KB MD5: 2b1a272069de40868c4247342f089dfc
SHA1: 118ab38046ccebced830af21083210ff67af641b
SHA256: cf8ec17492f54b669ad0d937c8bddea2f70309b1cd9db590878e366c7666122e
SSDeep: 96:c6YegL1g2FC0ld8jYOHwgUR7DvHeVx0kzRAwFn8W6UytonA3X:lu1g240jdGUN7evhzyWu 		False
...
C:\588bce7c90097ed212\Graphics\SysReqMet.ico.locked 1.27 KB MD5: 47fe63207f44986d61f0cc3e452f45a6
SHA1: c557e0bf8cfd9c9aeca8267cd6a3845ee0855257
SHA256: 0186000b0431eb6b2eba3f20b6bd467f16989640d66b2f388ddd32873ddb4666
SSDeep: 24:180vZ/6IBZafFIannJ3UEepNmKawrXEQXiqp5TKP2RM:K0vHkFHnKnN3aww1qpgPb 		False
...
C:\588bce7c90097ed212\Graphics\Rotate5.ico.locked 1.02 KB MD5: 49905b559626e963472df72fd72dc889
SHA1: 53fda7d5a37b3bca3a40dfcbea4bfd1f2590650c
SHA256: 6512b9f738fd7abb2be08d35f168fa4c41b1cdfc7a89fd0792bb3dcd38c44e80
SSDeep: 24:laz2qX1zPLyqtvoNvBPrIkXGtDqboS/sWDbBlYv:lGrX1zP+qtvCvBDIpteUisW3Bls 		False
...
C:\588bce7c90097ed212\Graphics\Rotate1.ico.locked 1.02 KB MD5: 8282cc585bf4c800e45996aa6ab3702d
SHA1: bd28cf03e8df8df303706bfe60ac878aad8dec19
SHA256: 60344ebe9ebbdbae2bff036c9f67ffa66fa3aae8501fd08b35bb264e0598d08f
SSDeep: 24:T6xbVE61CSeTS2CLNua+TubAi9POQr3S/l0Zl9An:ixySyCZuynZOo3ilQc 		False
...
C:\$GetCurrent\SafeOS\PartnerSetupComplete.cmd.locked 0.71 KB MD5: d1b4c93613409080c0d62f710a194e35
SHA1: bddaf71fe6d3c9faa212a60f44c1234bfab9b2ab
SHA256: a6ba4e00256552306b122287ec9ba25d1021ef6e7371eb2e2aecb8d21ab4a9e7
SSDeep: 12:KcTSuRWup61r59DpkxcgJA0aw3fGAPU2XCMgDiZzao3eX75j0HXiTNtMo1xrgm3r:JTyup6jkL3fGAPU2XCMgDi9urtcEV1xx 		False
...
C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS01637_.WMF.locked 4.00 KB MD5: e6bdcecb7882379933a419864cd84c31
SHA1: 88e44c46d8ef3a34ba77c286f2c0375d8d010b4b
SHA256: 180cc10c1601669555f8ed19fb6915fce014682ec9f416b0cf8c23faef736c5a
SSDeep: 96:V71NhBEtE7EFI3itXWXOEmfcpgSSLFchn:F1NvE6Y63mWXOEmkpgHchn 		False
...
C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\msipc.dll.mui.locked 22.29 KB MD5: a605bbcfd7a878b4947782c292eae992
SHA1: 96ac97a4756d9962e2682e925b21b69b6732ce58
SHA256: fabc8625af0fbd72e8f19a425717d008c0fed796dfdd6bda3ac6d2578ea3efa9
SSDeep: 384:s/0NkI98I5I7lchu5UqcdQNT9t4MRDaukGCEjjAkP/o72XKB4/RWE4M:s8NkI98II72uRTYMR+ukOjjAtqnx 		False
...
C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\SYSTEM\MSMAPI\1033\MSMAPI32.DLL.locked 64.74 KB MD5: dad5c4290da74fe7ddf7b7c79e980b73
SHA1: 2d58e4de6faf226fd09460e5aaf160118b93367a
SHA256: d3440ddce93c29fed9439a94f70110dd9ff3f8678b39c4cc8ed9d53e89791219
SSDeep: 1536:56eiEN89V5khD50jZ9h9VKHuaHdg7ylA4ktYZzeGZ:56ebC9jXjZb9IHd6ylA4kWNh 		False
...
Host Behavior
File (101)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\588bce7c90097ed212\1036\eula.rtf type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1036\eula.rtf.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\1033\eula.rtf type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1033\eula.rtf.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\Graphics\SysReqMet.ico type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\Graphics\SysReqMet.ico.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\Graphics\Rotate5.ico type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\Graphics\Rotate5.ico.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\Graphics\Rotate1.ico type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\Graphics\Rotate1.ico.locked type = file_attributes False 1
Fn
Get Info C:\$GetCurrent\SafeOS\PartnerSetupComplete.cmd type = file_attributes True 3
Fn
Get Info C:\$GetCurrent\SafeOS\PartnerSetupComplete.cmd.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS01637_.WMF type = file_attributes True 3
Fn
Get Info C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS01637_.WMF.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\msipc.dll.mui type = file_attributes True 3
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\msipc.dll.mui.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\SYSTEM\MSMAPI\1033\MSMAPI32.DLL type = file_attributes True 3
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\SYSTEM\MSMAPI\1033\MSMAPI32.DLL.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\CMigrate.exe type = file_attributes True 3
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\CMigrate.exe.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\msmgdsrv.dll type = file_attributes True 3
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\msmgdsrv.dll.locked type = file_attributes False 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Open \??\\C:\588bce7c90097ed212\1036\eula.rtf.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\1033\eula.rtf.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\Graphics\SysReqMet.ico.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\Graphics\Rotate5.ico.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\Graphics\Rotate1.ico.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\$GetCurrent\SafeOS\PartnerSetupComplete.cmd.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS01637_.WMF.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\msipc.dll.mui.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\SYSTEM\MSMAPI\1033\MSMAPI32.DLL.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\CMigrate.exe.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\msmgdsrv.dll.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open Mapping SM-zzbdrimp desired_access = FILE_MAP_COPY, FILE_MAP_WRITE True 1
Fn
Move C:\588bce7c90097ed212\1036\eula.rtf.locked source_filename = C:\588bce7c90097ed212\1036\eula.rtf, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\1033\eula.rtf.locked source_filename = C:\588bce7c90097ed212\1033\eula.rtf, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\Graphics\SysReqMet.ico.locked source_filename = C:\588bce7c90097ed212\Graphics\SysReqMet.ico, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\Graphics\Rotate5.ico.locked source_filename = C:\588bce7c90097ed212\Graphics\Rotate5.ico, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\Graphics\Rotate1.ico.locked source_filename = C:\588bce7c90097ed212\Graphics\Rotate1.ico, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\$GetCurrent\SafeOS\PartnerSetupComplete.cmd.locked source_filename = C:\$GetCurrent\SafeOS\PartnerSetupComplete.cmd, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS01637_.WMF.locked source_filename = C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS01637_.WMF, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\msipc.dll.mui.locked source_filename = C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\msipc.dll.mui, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\SYSTEM\MSMAPI\1033\MSMAPI32.DLL.locked source_filename = C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\SYSTEM\MSMAPI\1033\MSMAPI32.DLL, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\CMigrate.exe.locked source_filename = C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\CMigrate.exe, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\msmgdsrv.dll.locked source_filename = C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\msmgdsrv.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Read \??\\C:\588bce7c90097ed212\1036\eula.rtf.locked size = 3526, size_out = 3526 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\1033\eula.rtf.locked size = 3188, size_out = 3188 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\Graphics\SysReqMet.ico.locked size = 1150, size_out = 1150 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\Graphics\Rotate5.ico.locked size = 894, size_out = 894 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\Graphics\Rotate1.ico.locked size = 894, size_out = 894 True 1
Fn
Data
Read \??\\C:\$GetCurrent\SafeOS\PartnerSetupComplete.cmd.locked size = 577, size_out = 577 True 1
Fn
Data
Read \??\\C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS01637_.WMF.locked size = 3948, size_out = 3948 True 1
Fn
Data
Read \??\\C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\msipc.dll.mui.locked size = 22680, size_out = 22680 True 1
Fn
Data
Read \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\SYSTEM\MSMAPI\1033\MSMAPI32.DLL.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\SYSTEM\MSMAPI\1033\MSMAPI32.DLL.locked size = 608, size_out = 608 True 1
Fn
Data
Read \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\CMigrate.exe.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\msmgdsrv.dll.locked size = 65536, size_out = 65536 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1036\eula.rtf.locked offset = 0, size = 3530 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1036\eula.rtf.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1033\eula.rtf.locked offset = 0, size = 3192 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1033\eula.rtf.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Graphics\SysReqMet.ico.locked offset = 0, size = 1154 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Graphics\SysReqMet.ico.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Graphics\Rotate5.ico.locked offset = 0, size = 898 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Graphics\Rotate5.ico.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Graphics\Rotate1.ico.locked offset = 0, size = 898 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Graphics\Rotate1.ico.locked size = 144 True 1
Fn
Data
Write \??\\C:\$GetCurrent\SafeOS\PartnerSetupComplete.cmd.locked offset = 0, size = 581 True 1
Fn
Data
Write \??\\C:\$GetCurrent\SafeOS\PartnerSetupComplete.cmd.locked size = 144 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS01637_.WMF.locked offset = 0, size = 3952 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS01637_.WMF.locked size = 144 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\msipc.dll.mui.locked offset = 0, size = 22684 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\msipc.dll.mui.locked size = 144 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\SYSTEM\MSMAPI\1033\MSMAPI32.DLL.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\SYSTEM\MSMAPI\1033\MSMAPI32.DLL.locked offset = 65536, size = 612 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\SYSTEM\MSMAPI\1033\MSMAPI32.DLL.locked size = 144 True 1
Fn
Data
Module (77)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load Rstrtmgr.dll base_address = 0x744f0000 True 1
Fn
Load ntdll.dll base_address = 0x77bb0000 True 1
Fn
Load api-ms-win-core-sysinfo-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75e90000 True 3
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77bb0000 True 1
Fn
Get Handle c:\users\fd1hvy\appdata\local\temp\zzbdr base_address = 0x11a0000 True 2
Fn
Get Filename - process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, file_name_orig = C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsAlloc, address_out = 0x74f9bea0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsSetValue, address_out = 0x74f92550 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = InitializeCriticalSectionEx, address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsGetValue, address_out = 0x74f870c0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f7ed00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75ea4ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75ea4b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75ea4b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75ea4b40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75efebc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitOnceExecuteOnce, address_out = 0x74f95550 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x75efeb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x75efeb90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x75efeb80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75ea6d30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x77bfd7c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x77bfb740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75ea6d70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x77bfc0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x77bfbe10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77c22b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77c152f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x75ea4510 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x74f9e260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75ea0db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleEx, address_out = 0x75ea43d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandle, address_out = 0x75eff110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x75eff1e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeConditionVariable, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WakeConditionVariable, address_out = 0x77c88c50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll address_out = 0x77c18a90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableCS, address_out = 0x7500fca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSRWLock, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AcquireSRWLockExclusive, address_out = 0x77bf58e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TryAcquireSRWLockExclusive, address_out = 0x77c72ce0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseSRWLockExclusive, address_out = 0x77bf83a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableSRW, address_out = 0x7500fcf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWork, address_out = 0x75ea6db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SubmitThreadpoolWork, address_out = 0x77bfeb00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWork, address_out = 0x77bfed50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x75ea7050 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x75ea7190 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x75ea7480 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateHardLinkW, address_out = 0x75ea44f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySection, address_out = 0x77c22220 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmStartSession, address_out = 0x744f7930 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmRegisterResources, address_out = 0x744f7660 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmGetList, address_out = 0x744f74f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtOpenFile, address_out = 0x77c22040 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtClose, address_out = 0x77c21de0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtReadFile, address_out = 0x77c21d50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtWriteFile, address_out = 0x77c21d70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitUnicodeString, address_out = 0x77c242f0 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x74f6b830 True 1
Fn
Map SM-zzbdrimp process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, desired_access = FILE_MAP_WRITE True 1
Fn
User (5)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
Lookup Privilege privilege = SeRestorePrivilege, luid = 18 True 1
Fn
Lookup Privilege privilege = SeLockMemoryPrivilege, luid = 4 True 1
Fn
Lookup Privilege privilege = SeCreateGlobalPrivilege, luid = 30 True 1
Fn
System (43)
»
Operation Additional Information Success Count Logfile
Get Time type = Performance Ctr, time = 28609717183 True 1
Fn
Get Time type = Performance Ctr, time = 28689409038 True 1
Fn
Get Time type = System Time True 20
Fn
Get Time type = Performance Ctr, time = 28702882513 True 1
Fn
Get Time type = Performance Ctr, time = 28795204808 True 1
Fn
Get Time type = Performance Ctr, time = 28816008683 True 1
Fn
Get Time type = Performance Ctr, time = 28885895457 True 1
Fn
Get Time type = Performance Ctr, time = 28907334420 True 1
Fn
Get Time type = Performance Ctr, time = 29019834761 True 1
Fn
Get Time type = Performance Ctr, time = 29036978098 True 1
Fn
Get Time type = Performance Ctr, time = 29111883194 True 1
Fn
Get Time type = Performance Ctr, time = 29140536045 True 1
Fn
Get Time type = Performance Ctr, time = 29200522102 True 1
Fn
Get Time type = Performance Ctr, time = 29218532331 True 1
Fn
Get Time type = Performance Ctr, time = 29331822020 True 1
Fn
Get Time type = Performance Ctr, time = 29366232361 True 1
Fn
Get Time type = Performance Ctr, time = 29756438944 True 1
Fn
Get Time type = Performance Ctr, time = 29774629302 True 1
Fn
Get Time type = Performance Ctr, time = 29851183364 True 1
Fn
Get Time type = Performance Ctr, time = 29887855219 True 1
Fn
Get Time type = Performance Ctr, time = 30014183424 True 1
Fn
Get Time type = Performance Ctr, time = 30183680339 True 1
Fn
Get Info type = Hardware Information True 2
Fn
Mutex (1910)
»
Operation Additional Information Success Count Logfile
Open mutex_name = MX-zzbdrimp, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Release mutex_name = MX-zzbdrimp True 1909
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Debug (10)
»
Operation Process Additional Information Success Count Logfile
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1036\eula.rtf True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1033\eula.rtf True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\Graphics\SysReqMet.ico True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\Graphics\Rotate5.ico True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\Graphics\Rotate1.ico True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\$GetCurrent\SafeOS\PartnerSetupComplete.cmd True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\BS01637_.WMF True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Program Files\Microsoft Office\root\Office16\MSIPC\nl\msipc.dll.mui True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\SYSTEM\MSMAPI\1033\MSMAPI32.DLL True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\CMigrate.exe True 1
Fn
Process #33: zzbdrimp5619.exe
1015 0
»
Information Value
ID #33
File Name c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe
Command Line C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:03:14, Reason: Child Process
Unmonitor End Time: 00:03:46, Reason: Self Terminated
Monitor Duration 00:00:32
OS Process Information
»
Information Value
PID 0xf48
Parent PID 0x4e4 (c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x FB0
0x CDC
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.locked 2.25 MB MD5: e8ecba79e88770107e02d59c312c7359
SHA1: f2b1f962f20306ad7b97ad9d96f8129b3ecde8a9
SHA256: be8d4e4ce74efc8c5c95e9c72e007dacd6ba353c59450e0cef10f80992a2510f
SSDeep: 49152:4b5/Hj4Gp+oSqlX2MJyss4qreS07WLrgdE8TuFB4WXBBm8RDVrg4:sPPqqlGJFndBLrg+8epCwg4 		False
...
C:\588bce7c90097ed212\1044\eula.rtf.locked 3.12 KB MD5: 312341a407b5e5d28dd9510028c3f4f8
SHA1: 13d15dffa34c96e9dff42011c23690a2dc57a1a3
SHA256: 2db07f8fae4124d3fbe65c004f947432118d8c1940a1307a0bf5477e2e97f5d6
SSDeep: 96:163CSwaKh4RXaX/Lz27VqDTMmVtrovVlme:0pU4+zjTgVse 		False
...
C:\588bce7c90097ed212\Graphics\Rotate7.ico.locked 1.02 KB MD5: 4c35de049b7504a474d90a7a439798b5
SHA1: a282a65d16ff7648af77d285a0afb6f0262a827f
SHA256: ccdcd002c691a031285b8b42d19dae9595088064fec71f31aa1caa24ea88c080
SSDeep: 24:1MypeDxtDbyTXYtME8QMOQX4UeOg0bIhuug/seBgzu1oS/xqKVIQ:1FkbDbIXYWE8vOnULbIJeB9oixqKVD 		False
...
C:\588bce7c90097ed212\Graphics\Rotate4.ico.locked 1.02 KB MD5: 76ebef9b0d632f32008b84834e5400eb
SHA1: 8075b3394cc8070fb644d95201cb940f450100b3
SHA256: 24e5a1fb58163c3ea6babb0c59c7c663a12249924a19d7c08dec485500e231f7
SSDeep: 24:+yuXupZi5TY+O8uqlFFT2zHURYHfLuGJ9BIdx3faRihMm0iS/g4iAKItl:iXupZGT28PJRY/Lug9Bqx3PhMbiig9vi 		False
...
C:\588bce7c90097ed212\Graphics\Rotate8.ico.locked 1.02 KB MD5: a7b0c9d303621b5a42571e22290d1ebe
SHA1: 7822a2c6d518fa352c8ed8624e324c919cabae7e
SHA256: 8318512f739a82c5e143d8172202c8e2ee8b465ee718d992c59d8c014158eb18
SSDeep: 24:/fIz1eF/9Zr/iYPhC0ZT+EOdATEeV4TE8mzrZ/BS/StKPVU:/fIz1eF/9ZrW0ZT+EOmDViEBrlBiMKP+ 		False
...
C:\Program Files\Java\jre1.8.0_144\bin\decora_sse.dll.locked 84.21 KB MD5: a7fd3c5c67052c0fb8f46b86f4975bec
SHA1: 80d0380eee23c720aa37e9289172e2d4f882ae23
SHA256: 84df9b510bb9293ca6dadf3976a0e2170d2c18507226f8a506c72c5b6298c558
SSDeep: 1536:9ssNUZDoVEGqwUbPfVZf0H5KuWYkYomiqyyJBz5B/sKd7P6XIbAL4EtxcCn:9s2KDDwUbPH0HpOvtqyy9Ge6XQAL4EtL 		False
...
C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\msolui110.dll.locked 289.32 KB MD5: 1d4d7fceac77aaeaf4762957a07d6bed
SHA1: de8d4a456df6c79d5dd87c9fb27f5d95ae32c3a1
SHA256: f35b691050a3264eae710115623ce75a4610e10e5dd4b1a9d6c3a70595630321
SSDeep: 6144:2S/MqHrzAbvnH0Co+TmTuRTlBINGIP8M9e4GCS9TGKfsJ9fKwMOe:R0irzAbnH0f+TmTu9fkGIDeD9TJ09fKL 		False
...
Host Behavior
File (208)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\588bce7c90097ed212\1044\eula.rtf type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\1044\eula.rtf.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\Graphics\Rotate7.ico type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\Graphics\Rotate7.ico.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\Graphics\Rotate4.ico type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\Graphics\Rotate4.ico.locked type = file_attributes False 1
Fn
Get Info C:\588bce7c90097ed212\Graphics\Rotate8.ico type = file_attributes True 3
Fn
Get Info C:\588bce7c90097ed212\Graphics\Rotate8.ico.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\Java\jre1.8.0_144\bin\decora_sse.dll type = file_attributes True 3
Fn
Get Info C:\Program Files\Java\jre1.8.0_144\bin\decora_sse.dll.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll type = file_attributes True 3
Fn
Get Info C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.TXT type = file_attributes True 3
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.TXT.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Csi.dll type = file_attributes True 3
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Csi.dll.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\msolui110.dll type = file_attributes True 3
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\msolui110.dll.locked type = file_attributes False 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Open \??\\C:\588bce7c90097ed212\1044\eula.rtf.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\Graphics\Rotate7.ico.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\Graphics\Rotate4.ico.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\588bce7c90097ed212\Graphics\Rotate8.ico.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Program Files\Java\jre1.8.0_144\bin\decora_sse.dll.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.TXT.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Csi.dll.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\msolui110.dll.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open Mapping SM-zzbdrimp desired_access = FILE_MAP_COPY, FILE_MAP_WRITE True 1
Fn
Move C:\588bce7c90097ed212\1044\eula.rtf.locked source_filename = C:\588bce7c90097ed212\1044\eula.rtf, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\Graphics\Rotate7.ico.locked source_filename = C:\588bce7c90097ed212\Graphics\Rotate7.ico, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\Graphics\Rotate4.ico.locked source_filename = C:\588bce7c90097ed212\Graphics\Rotate4.ico, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\588bce7c90097ed212\Graphics\Rotate8.ico.locked source_filename = C:\588bce7c90097ed212\Graphics\Rotate8.ico, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\Java\jre1.8.0_144\bin\decora_sse.dll.locked source_filename = C:\Program Files\Java\jre1.8.0_144\bin\decora_sse.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.locked source_filename = C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.TXT.locked source_filename = C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.TXT, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Csi.dll.locked source_filename = C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Csi.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\msolui110.dll.locked source_filename = C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\msolui110.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Read \??\\C:\588bce7c90097ed212\1044\eula.rtf.locked size = 3046, size_out = 3046 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\Graphics\Rotate7.ico.locked size = 894, size_out = 894 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\Graphics\Rotate4.ico.locked size = 894, size_out = 894 True 1
Fn
Data
Read \??\\C:\588bce7c90097ed212\Graphics\Rotate8.ico.locked size = 894, size_out = 894 True 1
Fn
Data
Read \??\\C:\Program Files\Java\jre1.8.0_144\bin\decora_sse.dll.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Program Files\Java\jre1.8.0_144\bin\decora_sse.dll.locked size = 20544, size_out = 20544 True 1
Fn
Data
Read \??\\C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.locked size = 65536, size_out = 65536 True 23
Fn
Data
Read \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.TXT.locked size = 65536, size_out = 65536 True 18
Fn
Data
Read \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.TXT.locked size = 3768, size_out = 3768 True 1
Fn
Data
Read \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Csi.dll.locked size = 65536, size_out = 65536 True 20
Fn
Data
Read \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\msolui110.dll.locked size = 65536, size_out = 65536 True 4
Fn
Data
Read \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\msolui110.dll.locked size = 33968, size_out = 33968 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1044\eula.rtf.locked offset = 0, size = 3050 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\1044\eula.rtf.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Graphics\Rotate7.ico.locked offset = 0, size = 898 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Graphics\Rotate7.ico.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Graphics\Rotate4.ico.locked offset = 0, size = 898 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Graphics\Rotate4.ico.locked size = 144 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Graphics\Rotate8.ico.locked offset = 0, size = 898 True 1
Fn
Data
Write \??\\C:\588bce7c90097ed212\Graphics\Rotate8.ico.locked size = 144 True 1
Fn
Data
Write \??\\C:\Program Files\Java\jre1.8.0_144\bin\decora_sse.dll.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Java\jre1.8.0_144\bin\decora_sse.dll.locked offset = 65536, size = 20548 True 1
Fn
Data
Write \??\\C:\Program Files\Java\jre1.8.0_144\bin\decora_sse.dll.locked size = 144 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.locked offset = 65536, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.locked offset = 131072, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.locked offset = 196608, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.locked offset = 262144, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.locked offset = 327680, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.locked offset = 393216, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.locked offset = 458752, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.locked offset = 524288, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.locked offset = 589824, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.locked offset = 655360, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.locked offset = 720896, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.locked offset = 786432, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.locked offset = 851968, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.locked offset = 917504, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.locked offset = 983040, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.locked offset = 1048576, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.locked offset = 1114112, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.locked offset = 1179648, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.locked offset = 1245184, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.locked offset = 1310720, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll.locked offset = 1376256, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.TXT.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.TXT.locked offset = 65536, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.TXT.locked offset = 131072, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.TXT.locked offset = 196608, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.TXT.locked offset = 262144, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.TXT.locked offset = 327680, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.TXT.locked offset = 393216, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.TXT.locked offset = 458752, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.TXT.locked offset = 524288, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.TXT.locked offset = 589824, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.TXT.locked offset = 655360, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.TXT.locked offset = 720896, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.TXT.locked offset = 786432, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.TXT.locked offset = 851968, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.TXT.locked offset = 917504, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.TXT.locked offset = 983040, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.TXT.locked offset = 1048576, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.TXT.locked offset = 1114112, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\METCONV.TXT.locked offset = 1179648, size = 3772 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Csi.dll.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Csi.dll.locked offset = 65536, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Csi.dll.locked offset = 131072, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Csi.dll.locked offset = 196608, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Csi.dll.locked offset = 262144, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Csi.dll.locked offset = 327680, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Csi.dll.locked offset = 393216, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Csi.dll.locked offset = 458752, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Csi.dll.locked offset = 524288, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Csi.dll.locked offset = 589824, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Csi.dll.locked offset = 655360, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Csi.dll.locked offset = 720896, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Csi.dll.locked offset = 786432, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Csi.dll.locked offset = 851968, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Csi.dll.locked offset = 917504, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Csi.dll.locked offset = 983040, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Csi.dll.locked offset = 1048576, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Csi.dll.locked offset = 1114112, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Csi.dll.locked offset = 1179648, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\msolui110.dll.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\msolui110.dll.locked offset = 65536, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\msolui110.dll.locked offset = 131072, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\msolui110.dll.locked offset = 196608, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\msolui110.dll.locked offset = 262144, size = 33972 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\msolui110.dll.locked size = 144 True 1
Fn
Data
Module (80)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load Rstrtmgr.dll base_address = 0x744f0000 True 1
Fn
Load ntdll.dll base_address = 0x77bb0000 True 1
Fn
Load api-ms-win-core-sysinfo-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load api-ms-win-appmodel-runtime-l1-1-1 base_address = 0x75ba0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75e90000 True 3
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77bb0000 True 1
Fn
Get Handle c:\users\fd1hvy\appdata\local\temp\zzbdr base_address = 0x11a0000 True 2
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename - process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, file_name_orig = C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsAlloc, address_out = 0x74f9bea0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsSetValue, address_out = 0x74f92550 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = InitializeCriticalSectionEx, address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsGetValue, address_out = 0x74f870c0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f7ed00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75ea4ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75ea4b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75ea4b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75ea4b40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75efebc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitOnceExecuteOnce, address_out = 0x74f95550 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x75efeb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x75efeb90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x75efeb80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75ea6d30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x77bfd7c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x77bfb740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75ea6d70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x77bfc0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x77bfbe10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77c22b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77c152f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x75ea4510 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x74f9e260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75ea0db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleEx, address_out = 0x75ea43d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandle, address_out = 0x75eff110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x75eff1e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeConditionVariable, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WakeConditionVariable, address_out = 0x77c88c50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll address_out = 0x77c18a90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableCS, address_out = 0x7500fca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSRWLock, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AcquireSRWLockExclusive, address_out = 0x77bf58e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TryAcquireSRWLockExclusive, address_out = 0x77c72ce0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseSRWLockExclusive, address_out = 0x77bf83a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableSRW, address_out = 0x7500fcf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWork, address_out = 0x75ea6db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SubmitThreadpoolWork, address_out = 0x77bfeb00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWork, address_out = 0x77bfed50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x75ea7050 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x75ea7190 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x75ea7480 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateHardLinkW, address_out = 0x75ea44f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySection, address_out = 0x77c22220 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmStartSession, address_out = 0x744f7930 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmRegisterResources, address_out = 0x744f7660 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmGetList, address_out = 0x744f74f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtOpenFile, address_out = 0x77c22040 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtClose, address_out = 0x77c21de0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtReadFile, address_out = 0x77c21d50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtWriteFile, address_out = 0x77c21d70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitUnicodeString, address_out = 0x77c242f0 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x74f6b830 True 1
Fn
Get Address c:\windows\syswow64\kernel.appcore.dll function = GetCurrentPackageId, address_out = 0x75ba3510 True 1
Fn
Map SM-zzbdrimp process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, desired_access = FILE_MAP_WRITE True 1
Fn
User (5)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
Lookup Privilege privilege = SeRestorePrivilege, luid = 18 True 1
Fn
Lookup Privilege privilege = SeLockMemoryPrivilege, luid = 4 True 1
Fn
Lookup Privilege privilege = SeCreateGlobalPrivilege, luid = 30 True 1
Fn
System (37)
»
Operation Additional Information Success Count Logfile
Get Time type = Performance Ctr, time = 28700414623 True 1
Fn
Get Time type = Performance Ctr, time = 28806536321 True 1
Fn
Get Time type = System Time True 17
Fn
Get Time type = Performance Ctr, time = 28821538627 True 1
Fn
Get Time type = Performance Ctr, time = 28900105653 True 1
Fn
Get Time type = Performance Ctr, time = 28919659397 True 1
Fn
Get Time type = Performance Ctr, time = 29094862670 True 1
Fn
Get Time type = Performance Ctr, time = 29123312043 True 1
Fn
Get Time type = Performance Ctr, time = 29159172952 True 1
Fn
Get Time type = Performance Ctr, time = 29185537605 True 1
Fn
Get Time type = Performance Ctr, time = 29298955340 True 1
Fn
Get Time type = Performance Ctr, time = 29354721008 True 1
Fn
Get Time type = Performance Ctr, time = 29405998446 True 1
Fn
Get Time type = Performance Ctr, time = 29776621287 True 1
Fn
Get Time type = Performance Ctr, time = 29927016755 True 1
Fn
Get Time type = Performance Ctr, time = 30105831229 True 1
Fn
Get Time type = Performance Ctr, time = 30152387672 True 1
Fn
Get Time type = Performance Ctr, time = 30221852336 True 1
Fn
Get Time type = Performance Ctr, time = 31403445622 True 1
Fn
Get Info type = Hardware Information True 2
Fn
Mutex (660)
»
Operation Additional Information Success Count Logfile
Open mutex_name = MX-zzbdrimp, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Release mutex_name = MX-zzbdrimp True 659
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Debug (7)
»
Operation Process Additional Information Success Count Logfile
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\1044\eula.rtf True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\Graphics\Rotate7.ico True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\Graphics\Rotate4.ico True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\588bce7c90097ed212\Graphics\Rotate8.ico True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Program Files\Java\jre1.8.0_144\bin\decora_sse.dll True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.ScriptDom.dll True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\xmsrv.dll True 1
Fn
Process #34: zzbdrimp5619.exe
457 0
»
Information Value
ID #34
File Name c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe
Command Line C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:03:18, Reason: Child Process
Unmonitor End Time: 00:03:46, Reason: Self Terminated
Monitor Duration 00:00:28
OS Process Information
»
Information Value
PID 0x468
Parent PID 0x4e4 (c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 270
0x 2E8
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll.locked 12.30 KB MD5: 33663b04712cbe463737449d2b73ffd0
SHA1: 0850f2358edd5d8695054e87f9d98c4a6639a55f
SHA256: 3cc60c29727fd137a73b652264bb1c03d10411e8416da683653e7c4c198cdf09
SSDeep: 192:4NBtXMSlIgEnkxuRKaB1wU513aOY6wU5GTGeq6+nvknNE/JcBYaCAe6plits:W3X3GKuRVB1L5k+wUC/q6+nDcJLhuts 		False
...
C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\NA02407_.WMF.locked 8.09 KB MD5: 66ef419f64a9df2a7c5f5cb59e46252c
SHA1: bfbaf09871f44974c0b26c9725c79b5d7d5692de
SHA256: 11e06ad68b309accdc3ce884d3a7c06b844bde032ea977ba54da28492b4d6738
SSDeep: 192:fsyPGb7iHxYtJWHKaDse+ss9JT8RRGoHRGSqUGp/IIG4Vo7uCH:fXPGb+itQnsT7ARRGoDWtSH 		False
...
C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL.locked 2.50 MB MD5: b5b3e13ff632f042d1293cc612b9a82e
SHA1: a5c7d1d2ecb5c6811cebffbbff2c7d70885e68ab
SHA256: f16deac4b3bee805493c39819132a4add2bd5eef076509a68ef9568e0357943b
SSDeep: 49152:xi2jCITiVK73Ohjo3pn0W0fN03k7cO6huvUeK32x8m7YOOkXljcUM3gu:xi2jClO3OVo3pnt0keUeO5m7YOJpeB 		False
...
Host Behavior
File (68)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll type = file_attributes True 3
Fn
Get Info C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\NA02407_.WMF type = file_attributes True 3
Fn
Get Info C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\NA02407_.WMF.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL type = file_attributes True 3
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL.locked type = file_attributes False 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Open \??\\C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\NA02407_.WMF.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open Mapping SM-zzbdrimp desired_access = FILE_MAP_COPY, FILE_MAP_WRITE True 1
Fn
Move C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll.locked source_filename = C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\NA02407_.WMF.locked source_filename = C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\NA02407_.WMF, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL.locked source_filename = C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\concrt140.dll.locked source_filename = C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\concrt140.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\Cartridges\hive.xsl.locked source_filename = C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\Cartridges\hive.xsl, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\msolap110.dll.locked source_filename = C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\msolap110.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Read \??\\C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll.locked size = 12448, size_out = 12448 True 1
Fn
Data
Read \??\\C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\NA02407_.WMF.locked size = 8136, size_out = 8136 True 1
Fn
Data
Read \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL.locked size = 65536, size_out = 65536 True 19
Fn
Data
Write \??\\C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll.locked offset = 0, size = 12452 True 1
Fn
Data
Write \??\\C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll.locked size = 144 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\NA02407_.WMF.locked offset = 0, size = 8140 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\NA02407_.WMF.locked size = 144 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL.locked offset = 65536, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL.locked offset = 131072, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL.locked offset = 196608, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL.locked offset = 262144, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL.locked offset = 327680, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL.locked offset = 393216, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL.locked offset = 458752, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL.locked offset = 524288, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL.locked offset = 589824, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL.locked offset = 655360, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL.locked offset = 720896, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL.locked offset = 786432, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL.locked offset = 851968, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL.locked offset = 917504, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL.locked offset = 983040, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL.locked offset = 1048576, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL.locked offset = 1114112, size = 65536 True 1
Fn
Data
Module (80)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load Rstrtmgr.dll base_address = 0x744f0000 True 1
Fn
Load ntdll.dll base_address = 0x77bb0000 True 1
Fn
Load api-ms-win-core-sysinfo-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load api-ms-win-appmodel-runtime-l1-1-1 base_address = 0x75ba0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75e90000 True 3
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77bb0000 True 1
Fn
Get Handle c:\users\fd1hvy\appdata\local\temp\zzbdr base_address = 0x11a0000 True 2
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename - process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, file_name_orig = C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsAlloc, address_out = 0x74f9bea0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsSetValue, address_out = 0x74f92550 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = InitializeCriticalSectionEx, address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsGetValue, address_out = 0x74f870c0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f7ed00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75ea4ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75ea4b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75ea4b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75ea4b40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75efebc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitOnceExecuteOnce, address_out = 0x74f95550 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x75efeb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x75efeb90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x75efeb80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75ea6d30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x77bfd7c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x77bfb740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75ea6d70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x77bfc0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x77bfbe10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77c22b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77c152f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x75ea4510 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x74f9e260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75ea0db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleEx, address_out = 0x75ea43d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandle, address_out = 0x75eff110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x75eff1e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeConditionVariable, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WakeConditionVariable, address_out = 0x77c88c50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll address_out = 0x77c18a90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableCS, address_out = 0x7500fca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSRWLock, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AcquireSRWLockExclusive, address_out = 0x77bf58e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TryAcquireSRWLockExclusive, address_out = 0x77c72ce0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseSRWLockExclusive, address_out = 0x77bf83a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableSRW, address_out = 0x7500fcf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWork, address_out = 0x75ea6db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SubmitThreadpoolWork, address_out = 0x77bfeb00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWork, address_out = 0x77bfed50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x75ea7050 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x75ea7190 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x75ea7480 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateHardLinkW, address_out = 0x75ea44f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySection, address_out = 0x77c22220 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmStartSession, address_out = 0x744f7930 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmRegisterResources, address_out = 0x744f7660 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmGetList, address_out = 0x744f74f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtOpenFile, address_out = 0x77c22040 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtClose, address_out = 0x77c21de0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtReadFile, address_out = 0x77c21d50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtWriteFile, address_out = 0x77c21d70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitUnicodeString, address_out = 0x77c242f0 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x74f6b830 True 1
Fn
Get Address c:\windows\syswow64\kernel.appcore.dll function = GetCurrentPackageId, address_out = 0x75ba3510 True 1
Fn
Map SM-zzbdrimp process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, desired_access = FILE_MAP_WRITE True 1
Fn
User (5)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
Lookup Privilege privilege = SeRestorePrivilege, luid = 18 True 1
Fn
Lookup Privilege privilege = SeLockMemoryPrivilege, luid = 4 True 1
Fn
Lookup Privilege privilege = SeCreateGlobalPrivilege, luid = 30 True 1
Fn
System (29)
»
Operation Additional Information Success Count Logfile
Get Time type = Performance Ctr, time = 29084461966 True 1
Fn
Get Time type = Performance Ctr, time = 29238456507 True 1
Fn
Get Time type = System Time True 13
Fn
Get Time type = Performance Ctr, time = 29260327241 True 1
Fn
Get Time type = Performance Ctr, time = 29344986332 True 1
Fn
Get Time type = Performance Ctr, time = 29372427043 True 1
Fn
Get Time type = Performance Ctr, time = 29743333672 True 1
Fn
Get Time type = Performance Ctr, time = 29911468741 True 1
Fn
Get Time type = Performance Ctr, time = 30027234650 True 1
Fn
Get Time type = Performance Ctr, time = 30116479293 True 1
Fn
Get Time type = Performance Ctr, time = 30363620927 True 1
Fn
Get Time type = Performance Ctr, time = 30535760436 True 1
Fn
Get Time type = Performance Ctr, time = 30621348849 True 1
Fn
Get Time type = Performance Ctr, time = 31414230774 True 1
Fn
Get Time type = Performance Ctr, time = 31555097977 True 1
Fn
Get Info type = Hardware Information True 2
Fn
Mutex (260)
»
Operation Additional Information Success Count Logfile
Open mutex_name = MX-zzbdrimp, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Release mutex_name = MX-zzbdrimp True 259
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Debug (3)
»
Operation Process Additional Information Success Count Logfile
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\VSTOInstallerUI.dll True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Program Files\Microsoft Office\root\CLIPART\PUB60COR\NA02407_.WMF True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\VBEUI.DLL True 1
Fn
Process #35: zzbdrimp5619.exe
1147 0
»
Information Value
ID #35
File Name c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe
Command Line C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:03:20, Reason: Child Process
Unmonitor End Time: 00:03:57, Reason: Self Terminated
Monitor Duration 00:00:36
OS Process Information
»
Information Value
PID 0xcf8
Parent PID 0x4e4 (c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8E8
0x FB8
0x EC4
0x 83C
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\STUDIO.INF.locked 0.71 KB MD5: 3431bd7cd516d3cf8cd1b42fed0c95ea
SHA1: 522107d277cc779705a8123bbfca54b7434f8880
SHA256: ab544c84bae39c33e038d56b1e1768a9a1f8e8ff7c1ad0eb5ccb59190417ffaf
SSDeep: 12:rg2aISHQfuU7BXbu+3qLiCvBUqFNwFTwJeiwYnj2Y+B7W/rBoipeH2ORWuSacLFZ:rg2LXb7BXbBqLnviQe6JezY+9W/rBvVr 		False
...
C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\SYSTEM\ole db\xmlrwbin.dll.locked 184.79 KB MD5: f49e506845097dd1757cacefd133dece
SHA1: 6d2f2895f4c2678e286e1bca691a7d3600093491
SHA256: 9c2e93b833a6841fe807a08031412261d2522cf8a36d78acdbf8f1a96735fc3b
SSDeep: 3072:+U6Hoij4PmM9gqZlbbGnunoYF7bWJe+UcajW61w61eAONwTCOenKFrwh+xN:wH3j4PA05zz7bIe+TYFS0ONFOkC0KN 		False
...
C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.VisualC.STLCLR.dll.locked 42.14 KB MD5: 8cc2cef1162ae8d7ebcca7261f45694a
SHA1: 73fd1465661156c15c280c126137276e1d8abe46
SHA256: 69858caf966cf9d99dbfd49da84e7ba4695a7c9967c36d3112c31774eacff87e
SSDeep: 768:p5beGwdOx+z+ThKQAcw1vl0OUaP7fPGjWJY4UTlDziLhVdqIiCmLO+e62EM:XQ0Ext1vlLUaPrQWmTT4VdaLOr6U 		False
...
C:\Program Files\rempl\Logs\Remediation.003.etl.locked 128.14 KB MD5: 9eff8affd8cbc5f12b46195af7bf5295
SHA1: 094e248cb75e0439e919297c4a70185c3043479c
SHA256: 98b0f393be1cd38e272a50003d2da6503172d33748f3d22f9bb3c7d46c691a1d
SSDeep: 3072:HZnS7huxgrRqEZ9z5QRNIIPGf7uy/dLtmhVKgZv1VAiZUDLxnIs:yIIQT3Gf6ynNAFZc+s 		False
...
C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF.locked 1.72 MB MD5: f1239868449b8c2d157373c72fef28ed
SHA1: f61ad71aadd30fd532624902a92d3c142a3cba11
SHA256: b2cbf6a7622e4476542ac5021e25dd3dc30c5fb182cd4b3e7072773bc689b248
SSDeep: 49152:Xc/s4HqQKFx6S0jAHk2CKrX9YPqbj1wB3:s/Lce8kZwO2M 		False
...
Host Behavior
File (88)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\Public\Desktop\README_LOCKED.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\STUDIO.INF type = file_attributes True 3
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\STUDIO.INF.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\SYSTEM\ole db\xmlrwbin.dll type = file_attributes True 3
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\SYSTEM\ole db\xmlrwbin.dll.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF type = file_attributes True 3
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\rempl\Logs\Remediation.003.etl type = file_attributes True 3
Fn
Get Info C:\Program Files\rempl\Logs\Remediation.003.etl.locked type = file_attributes False 1
Fn
Get Info C:\Users\Public\Desktop\README_LOCKED.txt type = file_type True 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Open \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\STUDIO.INF.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\SYSTEM\ole db\xmlrwbin.dll.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.VisualC.STLCLR.dll.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Program Files\rempl\Logs\Remediation.003.etl.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open Mapping SM-zzbdrimp desired_access = FILE_MAP_COPY, FILE_MAP_WRITE True 1
Fn
Move C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\STUDIO.INF.locked source_filename = C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\STUDIO.INF, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\SYSTEM\ole db\xmlrwbin.dll.locked source_filename = C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\SYSTEM\ole db\xmlrwbin.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF.locked source_filename = C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\msmdlocal.dll.locked source_filename = C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\msmdlocal.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft SQL Server\110\Shared\msasxpress.dll.locked source_filename = C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft SQL Server\110\Shared\msasxpress.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.VisualC.STLCLR.dll.locked source_filename = C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.VisualC.STLCLR.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\rempl\Logs\Remediation.003.etl.locked source_filename = C:\Program Files\rempl\Logs\Remediation.003.etl, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Read \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\STUDIO.INF.locked size = 578, size_out = 578 True 1
Fn
Data
Read \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\SYSTEM\ole db\xmlrwbin.dll.locked size = 65536, size_out = 65536 True 2
Fn
Data
Read \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\SYSTEM\ole db\xmlrwbin.dll.locked size = 58008, size_out = 58008 True 1
Fn
Data
Read \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF.locked size = 65536, size_out = 65536 True 17
Fn
Data
Read \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF.locked size = 33448, size_out = 33448 True 1
Fn
Data
Read \??\\C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.VisualC.STLCLR.dll.locked size = 43008, size_out = 43008 True 1
Fn
Data
Read \??\\C:\Program Files\rempl\Logs\Remediation.003.etl.locked size = 65536, size_out = 65536 True 2
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\STUDIO.INF.locked offset = 0, size = 582 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\STUDIO.INF.locked size = 144 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\SYSTEM\ole db\xmlrwbin.dll.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\SYSTEM\ole db\xmlrwbin.dll.locked offset = 65536, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\SYSTEM\ole db\xmlrwbin.dll.locked offset = 131072, size = 58012 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\SYSTEM\ole db\xmlrwbin.dll.locked size = 144 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF.locked offset = 65536, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF.locked offset = 131072, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF.locked offset = 196608, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF.locked offset = 262144, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF.locked offset = 327680, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF.locked offset = 393216, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF.locked offset = 458752, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF.locked offset = 524288, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF.locked offset = 589824, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF.locked offset = 655360, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF.locked offset = 1376256, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF.locked offset = 1441792, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF.locked offset = 1507328, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF.locked offset = 1572864, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF.locked offset = 1638400, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF.locked offset = 1703936, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF.locked offset = 1769472, size = 33452 True 1
Fn
Data
Write \??\\C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.VisualC.STLCLR.dll.locked offset = 0, size = 43012 True 1
Fn
Data
Write \??\\C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\Microsoft.VisualC.STLCLR.dll.locked size = 144 True 1
Fn
Data
Write \??\\C:\Program Files\rempl\Logs\Remediation.003.etl.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\rempl\Logs\Remediation.003.etl.locked offset = 65536, size = 65540 True 1
Fn
Data
Write \??\\C:\Program Files\rempl\Logs\Remediation.003.etl.locked size = 144 True 1
Fn
Data
Module (79)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load Rstrtmgr.dll base_address = 0x744f0000 True 1
Fn
Load ntdll.dll base_address = 0x77bb0000 True 1
Fn
Load api-ms-win-core-sysinfo-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load kernel32 base_address = 0x75e90000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75e90000 True 3
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77bb0000 True 1
Fn
Get Handle c:\users\fd1hvy\appdata\local\temp\zzbdr base_address = 0x11a0000 True 2
Fn
Get Filename - process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, file_name_orig = C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsAlloc, address_out = 0x74f9bea0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsSetValue, address_out = 0x74f92550 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = InitializeCriticalSectionEx, address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsGetValue, address_out = 0x74f870c0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f7ed00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75ea4ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75ea4b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75ea4b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75ea4b40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75efebc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitOnceExecuteOnce, address_out = 0x74f95550 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x75efeb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x75efeb90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x75efeb80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75ea6d30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x77bfd7c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x77bfb740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75ea6d70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x77bfc0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x77bfbe10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77c22b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77c152f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x75ea4510 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x74f9e260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75ea0db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleEx, address_out = 0x75ea43d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandle, address_out = 0x75eff110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x75eff1e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeConditionVariable, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WakeConditionVariable, address_out = 0x77c88c50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll address_out = 0x77c18a90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableCS, address_out = 0x7500fca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSRWLock, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AcquireSRWLockExclusive, address_out = 0x77bf58e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TryAcquireSRWLockExclusive, address_out = 0x77c72ce0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseSRWLockExclusive, address_out = 0x77bf83a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableSRW, address_out = 0x7500fcf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWork, address_out = 0x75ea6db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SubmitThreadpoolWork, address_out = 0x77bfeb00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWork, address_out = 0x77bfed50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x75ea7050 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x75ea7190 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x75ea7480 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateHardLinkW, address_out = 0x75ea44f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySection, address_out = 0x77c22220 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmStartSession, address_out = 0x744f7930 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmRegisterResources, address_out = 0x744f7660 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmGetList, address_out = 0x744f74f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtOpenFile, address_out = 0x77c22040 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtClose, address_out = 0x77c21de0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtReadFile, address_out = 0x77c21d50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtWriteFile, address_out = 0x77c21d70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitUnicodeString, address_out = 0x77c242f0 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x74f6b830 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AreFileApisANSI, address_out = 0x75ea4280 True 1
Fn
Map SM-zzbdrimp process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, desired_access = FILE_MAP_WRITE True 1
Fn
User (5)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
Lookup Privilege privilege = SeRestorePrivilege, luid = 18 True 1
Fn
Lookup Privilege privilege = SeLockMemoryPrivilege, luid = 4 True 1
Fn
Lookup Privilege privilege = SeCreateGlobalPrivilege, luid = 30 True 1
Fn
System (33)
»
Operation Additional Information Success Count Logfile
Get Time type = Performance Ctr, time = 29375355611 True 1
Fn
Get Time type = Performance Ctr, time = 29738023887 True 1
Fn
Get Time type = System Time True 15
Fn
Get Time type = Performance Ctr, time = 29765437995 True 1
Fn
Get Time type = Performance Ctr, time = 29903311540 True 1
Fn
Get Time type = Performance Ctr, time = 29920476252 True 1
Fn
Get Time type = Performance Ctr, time = 30020902958 True 1
Fn
Get Time type = Performance Ctr, time = 30173355062 True 1
Fn
Get Time type = Performance Ctr, time = 31401382229 True 1
Fn
Get Time type = Performance Ctr, time = 31666978902 True 1
Fn
Get Time type = Performance Ctr, time = 31722464249 True 1
Fn
Get Time type = Performance Ctr, time = 31817813468 True 1
Fn
Get Time type = Performance Ctr, time = 32064190168 True 1
Fn
Get Time type = Performance Ctr, time = 32450254944 True 1
Fn
Get Time type = Performance Ctr, time = 32463717994 True 1
Fn
Get Time type = Performance Ctr, time = 32604250043 True 1
Fn
Get Time type = Performance Ctr, time = 32627396940 True 1
Fn
Get Info type = Hardware Information True 2
Fn
Mutex (924)
»
Operation Additional Information Success Count Logfile
Open mutex_name = MX-zzbdrimp, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Release mutex_name = MX-zzbdrimp True 923
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Debug (4)
»
Operation Process Additional Information Success Count Logfile
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\STUDIO.INF True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\SYSTEM\ole db\xmlrwbin.dll True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\OFFICE.ODF True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Program Files\rempl\Logs\Remediation.003.etl True 1
Fn
Process #36: zzbdrimp5619.exe
1332 0
»
Information Value
ID #36
File Name c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe
Command Line C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:03:29, Reason: Child Process
Unmonitor End Time: 00:03:58, Reason: Terminated by Timeout
Monitor Duration 00:00:28
OS Process Information
»
Information Value
PID 0xcc0
Parent PID 0x4e4 (c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 548
0x D20
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe.locked 108.22 KB MD5: 917e321b5b355d2d6cb31e713730841d
SHA1: 119af296148878628d74f04ea4decc46e451d0db
SHA256: 531e0073a76a3551423ce2aab8d4abb0f4427c371b13067d06b972a08b41364d
SSDeep: 3072:lvRtZxlMEhTimocpn0NWPAuTR/YRDoF/39FMYgkba:lrZDT3RpnkWPvd/wDoN39FV2 		False
...
C:\Program Files\rempl\Unlock.xml.locked 1.65 KB MD5: 3915dc44ddcc29d23bdb02d34e4709ca
SHA1: c33b5d16a98da717cafd384f0a06aa39ab7d3e33
SHA256: 72dca340c00dbfd602b8cb75e175efc63815b73001ad2abe6e76cf1b537e3442
SSDeep: 24:UH2CWNqXKk+kOTRDbPbmgv6BVHZrWktSNiwAQies90v6kc0gGbgb30pBEqQ3zJWW:e2C7XOTxjyxZr3SNfk0v697b3TU1mB 		False
...
C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\Resources\1033\msolui110.rll.locked 13.93 KB MD5: 2af6706ab406e196a754023bb5b08f8e
SHA1: a9cdc13ee9d1bacd6839add5f81ab82de5e7e5de
SHA256: f72c3bd337b5202b2adf059582fdd1b177205b75a42f82dcaa329ec13f53a549
SSDeep: 384:YFGWS3CbeK28dde7rbtrjBMmQwNX+bhTg:8GWSSbbs7rbZdMJU+1E 		False
...
C:\Program Files\Mozilla Firefox\dependentlibs.list.locked 0.63 KB MD5: 3c14f93bb72414124716b4686c8cec97
SHA1: fc6bd596596b60aceb193ece8d549a13dfa7b51a
SHA256: 4774474aba978750c0596edf745d1900468b3e6b54cb12a5c6a237308a365442
SSDeep: 12:qEri4QeoeJvD/Hyall93amLdrnbQoNMeE7Qt6ylAs6eIspHBMd:t2EXTHyan93FZreyihspH2d 		False
...
C:\Program Files\rempl\Logs\Remediation.002.etl.locked 128.14 KB MD5: 363725a63ab48cc05562bc06c4e1c87a
SHA1: 1b78148dc8f462e9c3c565ebe3985a802afd8e2b
SHA256: 35b0ebc1edafab5a19ffed47a59582a1c120c462cc63483fd41df8c949b86c25
SSDeep: 3072:tpzZPOehpB2uvBCZ3F8rR6pK0D7w8PeKfeTNSRQ:XzZ2e8uvQNKrR6pf/TzGIy 		False
...
C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Config_131491847713900000.json.locked 36.35 KB MD5: 3b90dd22ffd3aad9240a3653dd4e2b41
SHA1: b8dfde0a97578c22f71cf356c45a3dd962a083d7
SHA256: fc44dc30987d406909878290c7c61fb387531c96f3452887a9830ee2b4be3d08
SSDeep: 768:NEmmsbE62a4vBuTyxESxHUqCvUtzpUz7HCSsjWw6rjKTKSWghD:N7fV4JvxDpUNvaWfCbw3KEgd 		False
...
C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\STUDIO.ELM.locked 48.13 KB MD5: 426e3e5bd08700800757e515be10f337
SHA1: c6e4471cc6a18d9e49b51c266632f0c3014ac04e
SHA256: 05808f44c76a2d9aa79bb918353423213441c3896996bea74c8eb4f0e4cd27ec
SSDeep: 1536:jgrsCPDGnR75An5Fqs/qQ1yPkPoIrr2ako:jgrsCPDse7nhwYP 		False
...
Host Behavior
File (158)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\Public\Desktop\README_LOCKED.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe type = file_attributes True 3
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\Resources\1033\msolui110.rll type = file_attributes True 3
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\Resources\1033\msolui110.rll.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft.NET\ADOMD.NET\110\Microsoft.AnalysisServices.AdomdClient.dll type = file_attributes True 3
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft.NET\ADOMD.NET\110\Microsoft.AnalysisServices.AdomdClient.dll.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\dbghelp.dll type = file_attributes True 3
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\dbghelp.dll.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\Mozilla Firefox\dependentlibs.list type = file_attributes True 3
Fn
Get Info C:\Program Files\Mozilla Firefox\dependentlibs.list.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\MSBuild\examined.exe type = file_attributes True 3
Fn
Get Info C:\Program Files\MSBuild\examined.exe.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\rempl\Unlock.xml type = file_attributes True 3
Fn
Get Info C:\Program Files\rempl\Unlock.xml.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\rempl\Logs\Remediation.002.etl type = file_attributes True 3
Fn
Get Info C:\Program Files\rempl\Logs\Remediation.002.etl.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Config_131491847713900000.json type = file_attributes True 3
Fn
Get Info C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Config_131491847713900000.json.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\STUDIO.ELM type = file_attributes True 3
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\STUDIO.ELM.locked type = file_attributes False 1
Fn
Get Info C:\Users\Public\Desktop\README_LOCKED.txt type = file_type True 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Open \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\Resources\1033\msolui110.rll.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft.NET\ADOMD.NET\110\Microsoft.AnalysisServices.AdomdClient.dll.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\dbghelp.dll.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Program Files\Mozilla Firefox\dependentlibs.list.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Program Files\MSBuild\examined.exe.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE False 1
Fn
Open \??\\C:\Program Files\rempl\Unlock.xml.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Program Files\rempl\Logs\Remediation.002.etl.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Config_131491847713900000.json.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\STUDIO.ELM.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open Mapping SM-zzbdrimp desired_access = FILE_MAP_COPY, FILE_MAP_WRITE True 1
Fn
Move C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe.locked source_filename = C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\Resources\1033\msolui110.rll.locked source_filename = C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\Resources\1033\msolui110.rll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft.NET\ADOMD.NET\110\Microsoft.AnalysisServices.AdomdClient.dll.locked source_filename = C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft.NET\ADOMD.NET\110\Microsoft.AnalysisServices.AdomdClient.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\dbghelp.dll.locked source_filename = C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\dbghelp.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\Mozilla Firefox\dependentlibs.list.locked source_filename = C:\Program Files\Mozilla Firefox\dependentlibs.list, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\MSBuild\examined.exe.locked source_filename = C:\Program Files\MSBuild\examined.exe, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\rempl\Unlock.xml.locked source_filename = C:\Program Files\rempl\Unlock.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\rempl\Logs\Remediation.002.etl.locked source_filename = C:\Program Files\rempl\Logs\Remediation.002.etl, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Config_131491847713900000.json.locked source_filename = C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Config_131491847713900000.json, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\STUDIO.ELM.locked source_filename = C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\STUDIO.ELM, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Read \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe.locked size = 45136, size_out = 45136 True 1
Fn
Data
Read \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\Resources\1033\msolui110.rll.locked size = 14120, size_out = 14120 True 1
Fn
Data
Read \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft.NET\ADOMD.NET\110\Microsoft.AnalysisServices.AdomdClient.dll.locked size = 65536, size_out = 65536 True 10
Fn
Data
Read \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft.NET\ADOMD.NET\110\Microsoft.AnalysisServices.AdomdClient.dll.locked size = 65072, size_out = 65072 True 1
Fn
Data
Read \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\dbghelp.dll.locked size = 65536, size_out = 65536 True 1
Fn
Data
Read - size = 65536, size_out = 65536 True 22
Fn
Data
Read \??\\C:\Program Files\Mozilla Firefox\dependentlibs.list.locked size = 494, size_out = 494 True 1
Fn
Data
Read \??\\C:\Program Files\rempl\Unlock.xml.locked size = 1541, size_out = 1541 True 1
Fn
Data
Read \??\\C:\Program Files\rempl\Logs\Remediation.002.etl.locked size = 65536, size_out = 65536 True 2
Fn
Data
Read \??\\C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Config_131491847713900000.json.locked size = 37072, size_out = 37072 True 1
Fn
Data
Read \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\STUDIO.ELM.locked size = 49133, size_out = 49133 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe.locked offset = 65536, size = 45140 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe.locked size = 144 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\Resources\1033\msolui110.rll.locked offset = 0, size = 14124 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\Resources\1033\msolui110.rll.locked size = 144 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft.NET\ADOMD.NET\110\Microsoft.AnalysisServices.AdomdClient.dll.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft.NET\ADOMD.NET\110\Microsoft.AnalysisServices.AdomdClient.dll.locked offset = 65536, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft.NET\ADOMD.NET\110\Microsoft.AnalysisServices.AdomdClient.dll.locked offset = 131072, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft.NET\ADOMD.NET\110\Microsoft.AnalysisServices.AdomdClient.dll.locked offset = 196608, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft.NET\ADOMD.NET\110\Microsoft.AnalysisServices.AdomdClient.dll.locked offset = 262144, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft.NET\ADOMD.NET\110\Microsoft.AnalysisServices.AdomdClient.dll.locked offset = 327680, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft.NET\ADOMD.NET\110\Microsoft.AnalysisServices.AdomdClient.dll.locked offset = 393216, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft.NET\ADOMD.NET\110\Microsoft.AnalysisServices.AdomdClient.dll.locked offset = 458752, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft.NET\ADOMD.NET\110\Microsoft.AnalysisServices.AdomdClient.dll.locked offset = 524288, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft.NET\ADOMD.NET\110\Microsoft.AnalysisServices.AdomdClient.dll.locked offset = 589824, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft.NET\ADOMD.NET\110\Microsoft.AnalysisServices.AdomdClient.dll.locked offset = 655360, size = 65076 True 1
Fn
Data
Write - offset = 10813440, size = 65536 True 1
Fn
Data
Write - offset = 10878976, size = 65536 True 1
Fn
Data
Write - offset = 10944512, size = 65536 True 1
Fn
Data
Write - offset = 11010048, size = 65536 True 1
Fn
Data
Write - offset = 11075584, size = 65536 True 1
Fn
Data
Write - offset = 11141120, size = 65536 True 1
Fn
Data
Write - offset = 11206656, size = 65536 True 1
Fn
Data
Write - offset = 11272192, size = 65536 True 1
Fn
Data
Write - offset = 11337728, size = 65536 True 1
Fn
Data
Write - offset = 11403264, size = 65536 True 1
Fn
Data
Write - offset = 11468800, size = 65536 True 1
Fn
Data
Write - offset = 11534336, size = 65536 True 1
Fn
Data
Write - offset = 11599872, size = 65536 True 1
Fn
Data
Write - offset = 11665408, size = 65536 True 1
Fn
Data
Write - offset = 11730944, size = 65536 True 1
Fn
Data
Write - offset = 11796480, size = 65536 True 1
Fn
Data
Write - offset = 11862016, size = 65536 True 1
Fn
Data
Write - offset = 11927552, size = 65536 True 1
Fn
Data
Write - offset = 11993088, size = 65536 True 1
Fn
Data
Write - offset = 12058624, size = 65536 True 1
Fn
Data
Write - offset = 12124160, size = 65536 True 1
Fn
Data
Write - offset = 12189696, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Mozilla Firefox\dependentlibs.list.locked offset = 0, size = 498 True 1
Fn
Data
Write \??\\C:\Program Files\Mozilla Firefox\dependentlibs.list.locked size = 144 True 1
Fn
Data
Write \??\\C:\Program Files\rempl\Unlock.xml.locked offset = 0, size = 1545 True 1
Fn
Data
Write \??\\C:\Program Files\rempl\Unlock.xml.locked size = 144 True 1
Fn
Data
Write \??\\C:\Program Files\rempl\Logs\Remediation.002.etl.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\rempl\Logs\Remediation.002.etl.locked offset = 65536, size = 65540 True 1
Fn
Data
Write \??\\C:\Program Files\rempl\Logs\Remediation.002.etl.locked size = 144 True 1
Fn
Data
Write \??\\C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Config_131491847713900000.json.locked offset = 0, size = 37076 True 1
Fn
Data
Write \??\\C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Config_131491847713900000.json.locked size = 144 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\STUDIO.ELM.locked offset = 0, size = 49137 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\STUDIO.ELM.locked size = 144 True 1
Fn
Data
Process (1)
»
Operation Process Additional Information Success Count Logfile
Open c:\program files\msbuild\examined.exe desired_access = PROCESS_TERMINATE True 1
Fn
Module (79)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load Rstrtmgr.dll base_address = 0x744f0000 True 1
Fn
Load ntdll.dll base_address = 0x77bb0000 True 1
Fn
Load api-ms-win-core-sysinfo-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load kernel32 base_address = 0x75e90000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75e90000 True 3
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77bb0000 True 1
Fn
Get Handle c:\users\fd1hvy\appdata\local\temp\zzbdr base_address = 0x11a0000 True 2
Fn
Get Filename - process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, file_name_orig = C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsAlloc, address_out = 0x74f9bea0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsSetValue, address_out = 0x74f92550 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = InitializeCriticalSectionEx, address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsGetValue, address_out = 0x74f870c0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f7ed00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75ea4ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75ea4b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75ea4b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75ea4b40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75efebc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitOnceExecuteOnce, address_out = 0x74f95550 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x75efeb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x75efeb90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x75efeb80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75ea6d30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x77bfd7c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x77bfb740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75ea6d70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x77bfc0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x77bfbe10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77c22b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77c152f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x75ea4510 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x74f9e260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75ea0db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleEx, address_out = 0x75ea43d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandle, address_out = 0x75eff110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x75eff1e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeConditionVariable, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WakeConditionVariable, address_out = 0x77c88c50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll address_out = 0x77c18a90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableCS, address_out = 0x7500fca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSRWLock, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AcquireSRWLockExclusive, address_out = 0x77bf58e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TryAcquireSRWLockExclusive, address_out = 0x77c72ce0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseSRWLockExclusive, address_out = 0x77bf83a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableSRW, address_out = 0x7500fcf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWork, address_out = 0x75ea6db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SubmitThreadpoolWork, address_out = 0x77bfeb00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWork, address_out = 0x77bfed50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x75ea7050 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x75ea7190 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x75ea7480 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateHardLinkW, address_out = 0x75ea44f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySection, address_out = 0x77c22220 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmStartSession, address_out = 0x744f7930 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmRegisterResources, address_out = 0x744f7660 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmGetList, address_out = 0x744f74f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtOpenFile, address_out = 0x77c22040 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtClose, address_out = 0x77c21de0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtReadFile, address_out = 0x77c21d50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtWriteFile, address_out = 0x77c21d70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitUnicodeString, address_out = 0x77c242f0 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x74f6b830 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AreFileApisANSI, address_out = 0x75ea4280 True 1
Fn
Map SM-zzbdrimp process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, desired_access = FILE_MAP_WRITE True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Open database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
User (5)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
Lookup Privilege privilege = SeRestorePrivilege, luid = 18 True 1
Fn
Lookup Privilege privilege = SeLockMemoryPrivilege, luid = 4 True 1
Fn
Lookup Privilege privilege = SeCreateGlobalPrivilege, luid = 30 True 1
Fn
System (41)
»
Operation Additional Information Success Count Logfile
Get Time type = Performance Ctr, time = 30245289988 True 1
Fn
Get Time type = Performance Ctr, time = 30393609506 True 1
Fn
Get Time type = System Time True 19
Fn
Get Time type = Performance Ctr, time = 30395385703 True 1
Fn
Get Time type = Performance Ctr, time = 30497129540 True 1
Fn
Get Time type = Performance Ctr, time = 30526282028 True 1
Fn
Get Time type = Performance Ctr, time = 30588600786 True 1
Fn
Get Time type = Performance Ctr, time = 30612331953 True 1
Fn
Get Time type = Performance Ctr, time = 30642060882 True 1
Fn
Get Time type = Performance Ctr, time = 31376353130 True 1
Fn
Get Time type = Performance Ctr, time = 32074850471 True 1
Fn
Get Time type = Performance Ctr, time = 32103172931 True 1
Fn
Get Time type = Performance Ctr, time = 32344121005 True 1
Fn
Get Time type = Performance Ctr, time = 32424451559 True 1
Fn
Get Time type = Performance Ctr, time = 32447203102 True 1
Fn
Get Time type = Performance Ctr, time = 32607247437 True 1
Fn
Get Time type = Performance Ctr, time = 32630744849 True 1
Fn
Get Time type = Performance Ctr, time = 32793923921 True 1
Fn
Get Time type = Performance Ctr, time = 32821739831 True 1
Fn
Get Time type = Performance Ctr, time = 32914999495 True 1
Fn
Get Time type = Performance Ctr, time = 32927152569 True 1
Fn
Get Info type = Hardware Information True 2
Fn
Mutex (1019)
»
Operation Additional Information Success Count Logfile
Open mutex_name = MX-zzbdrimp, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Release mutex_name = MX-zzbdrimp True 1018
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Debug (7)
»
Operation Process Additional Information Success Count Logfile
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\SQLDumper.exe True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft.NET\ADOMD.NET\110\Microsoft.AnalysisServices.AdomdClient.dll True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Program Files\MSBuild\examined.exe True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Program Files\rempl\Unlock.xml True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Program Files\rempl\Logs\Remediation.002.etl True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Config_131491847713900000.json True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\STUDIO.ELM True 1
Fn
Process #37: zzbdrimp5619.exe
708 0
»
Information Value
ID #37
File Name c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe
Command Line C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:03:32, Reason: Child Process
Unmonitor End Time: 00:03:58, Reason: Terminated by Timeout
Monitor Duration 00:00:25
OS Process Information
»
Information Value
PID 0xe00
Parent PID 0x4e4 (c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x F68
0x FA8
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\Cartridges\trdtv2r41.xsl.locked 27.21 KB MD5: 956b7324ccd15398f47ab7477f483832
SHA1: 1bbc5839575b6bc8e1399ecf33649b8c8af0e5fd
SHA256: b01262e2aa6c432e232bb3b6afc64408ea36e0debf887ac154425b16a4abdeeb
SSDeep: 384:DGiHHls3NJsJIfVERbzD0L0d/drLpKQFtUAM9WNJtzrTf0AqlNLu304Twx6axua:JHFs3NYIfV+UL0fX/Ftw98zzPDqltuDo 		False
...
C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\110\msolui110.dll.locked 273.92 KB MD5: b0e95e34825c8d5d71b27b0a6a9ac483
SHA1: 9035326384d0a2ba6912d70aaf1f9f51022cdea4
SHA256: b6059546bd63a560627e7c7311e3b75497771bdfd7c13b6d2b1170ffe7e4c572
SSDeep: 6144:MmlB/OWIreKsf3LPyzYH/6Gt/M3ExqVNp/biDfW5WFa0tXI:Mm/mFeKsf378k/6K/MxVzbiDfWQIEXI 		False
...
Host Behavior
File (80)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\Cartridges\trdtv2r41.xsl type = file_attributes True 3
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\Cartridges\trdtv2r41.xsl.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\110\msolui110.dll type = file_attributes True 3
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\110\msolui110.dll.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL type = file_attributes True 3
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL.locked type = file_attributes False 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Open \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\Cartridges\trdtv2r41.xsl.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\110\msolui110.dll.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open Mapping SM-zzbdrimp desired_access = FILE_MAP_COPY, FILE_MAP_WRITE True 1
Fn
Move C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\Cartridges\trdtv2r41.xsl.locked source_filename = C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\Cartridges\trdtv2r41.xsl, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\110\msolui110.dll.locked source_filename = C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\110\msolui110.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL.locked source_filename = C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\Mozilla Firefox\freebl3.dll.locked source_filename = C:\Program Files\Mozilla Firefox\freebl3.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets.locked source_filename = C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.VisualBasic.Targets, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets.locked source_filename = C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\Workflow.Targets, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\UNP\CampaignManager\CampaignCatalog.json.locked source_filename = C:\Program Files\UNP\CampaignManager\CampaignCatalog.json, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\Reference Assemblies\tasks.exe.locked source_filename = C:\Program Files\Reference Assemblies\tasks.exe, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\el-GR\toastreviewsettings.xml.locked source_filename = C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\el-GR\toastreviewsettings.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Read \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\Cartridges\trdtv2r41.xsl.locked size = 27714, size_out = 27714 True 1
Fn
Data
Read \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\110\msolui110.dll.locked size = 65536, size_out = 65536 True 4
Fn
Data
Read \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\110\msolui110.dll.locked size = 18200, size_out = 18200 True 1
Fn
Data
Read \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL.locked size = 65536, size_out = 65536 True 19
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\Cartridges\trdtv2r41.xsl.locked offset = 0, size = 27718 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\Cartridges\trdtv2r41.xsl.locked size = 144 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\110\msolui110.dll.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\110\msolui110.dll.locked offset = 65536, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\110\msolui110.dll.locked offset = 131072, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\110\msolui110.dll.locked offset = 196608, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\110\msolui110.dll.locked offset = 262144, size = 18204 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\110\msolui110.dll.locked size = 144 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL.locked offset = 65536, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL.locked offset = 131072, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL.locked offset = 196608, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL.locked offset = 262144, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL.locked offset = 327680, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL.locked offset = 393216, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL.locked offset = 458752, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL.locked offset = 524288, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL.locked offset = 589824, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL.locked offset = 655360, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL.locked offset = 720896, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL.locked offset = 786432, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL.locked offset = 851968, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL.locked offset = 917504, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL.locked offset = 983040, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL.locked offset = 1048576, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX86\Microsoft Office\Office16\VVIEWER.DLL.locked offset = 1114112, size = 65536 True 1
Fn
Data
Write - size = 53 True 1
Fn
Data
Process (1)
»
Operation Process Additional Information Success Count Logfile
Open c:\program files\reference assemblies\tasks.exe desired_access = PROCESS_TERMINATE True 1
Fn
Module (75)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load Rstrtmgr.dll base_address = 0x744f0000 True 1
Fn
Load ntdll.dll base_address = 0x77bb0000 True 1
Fn
Load api-ms-win-core-sysinfo-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75e90000 True 3
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77bb0000 True 1
Fn
Get Filename - process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, file_name_orig = C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsAlloc, address_out = 0x74f9bea0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsSetValue, address_out = 0x74f92550 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = InitializeCriticalSectionEx, address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsGetValue, address_out = 0x74f870c0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f7ed00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75ea4ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75ea4b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75ea4b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75ea4b40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75efebc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitOnceExecuteOnce, address_out = 0x74f95550 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x75efeb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x75efeb90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x75efeb80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75ea6d30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x77bfd7c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x77bfb740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75ea6d70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x77bfc0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x77bfbe10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77c22b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77c152f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x75ea4510 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x74f9e260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75ea0db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleEx, address_out = 0x75ea43d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandle, address_out = 0x75eff110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x75eff1e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeConditionVariable, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WakeConditionVariable, address_out = 0x77c88c50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll address_out = 0x77c18a90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableCS, address_out = 0x7500fca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSRWLock, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AcquireSRWLockExclusive, address_out = 0x77bf58e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TryAcquireSRWLockExclusive, address_out = 0x77c72ce0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseSRWLockExclusive, address_out = 0x77bf83a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableSRW, address_out = 0x7500fcf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWork, address_out = 0x75ea6db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SubmitThreadpoolWork, address_out = 0x77bfeb00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWork, address_out = 0x77bfed50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x75ea7050 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x75ea7190 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x75ea7480 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateHardLinkW, address_out = 0x75ea44f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySection, address_out = 0x77c22220 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmStartSession, address_out = 0x744f7930 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmRegisterResources, address_out = 0x744f7660 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmGetList, address_out = 0x744f74f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtOpenFile, address_out = 0x77c22040 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtClose, address_out = 0x77c21de0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtReadFile, address_out = 0x77c21d50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtWriteFile, address_out = 0x77c21d70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitUnicodeString, address_out = 0x77c242f0 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x74f6b830 True 1
Fn
Map SM-zzbdrimp process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, desired_access = FILE_MAP_WRITE True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Open database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
User (5)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
Lookup Privilege privilege = SeRestorePrivilege, luid = 18 True 1
Fn
Lookup Privilege privilege = SeLockMemoryPrivilege, luid = 4 True 1
Fn
Lookup Privilege privilege = SeCreateGlobalPrivilege, luid = 30 True 1
Fn
System (29)
»
Operation Additional Information Success Count Logfile
Get Time type = Performance Ctr, time = 30574873099 True 1
Fn
Get Time type = Performance Ctr, time = 30714685595 True 1
Fn
Get Time type = System Time True 13
Fn
Get Time type = Performance Ctr, time = 30734356583 True 1
Fn
Get Time type = Performance Ctr, time = 31399163140 True 1
Fn
Get Time type = Performance Ctr, time = 31420405821 True 1
Fn
Get Time type = Performance Ctr, time = 31575316849 True 1
Fn
Get Time type = Performance Ctr, time = 31879011648 True 1
Fn
Get Time type = Performance Ctr, time = 32021676742 True 1
Fn
Get Time type = Performance Ctr, time = 32078138625 True 1
Fn
Get Time type = Performance Ctr, time = 32230219578 True 1
Fn
Get Time type = Performance Ctr, time = 32332130696 True 1
Fn
Get Time type = Performance Ctr, time = 32429820056 True 1
Fn
Get Time type = Performance Ctr, time = 32795453111 True 1
Fn
Get Time type = Performance Ctr, time = 32906011582 True 1
Fn
Get Info type = Hardware Information True 2
Fn
Mutex (503)
»
Operation Additional Information Success Count Logfile
Open mutex_name = MX-zzbdrimp, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Release mutex_name = MX-zzbdrimp True 502
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Debug (1)
»
Operation Process Additional Information Success Count Logfile
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Program Files\Microsoft Office\root\VFS\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\110\Cartridges\trdtv2r41.xsl True 1
Fn
Process #38: zzbdrimp5619.exe
1787 0
»
Information Value
ID #38
File Name c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe
Command Line C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:03:44, Reason: Child Process
Unmonitor End Time: 00:03:58, Reason: Terminated by Timeout
Monitor Duration 00:00:13
OS Process Information
»
Information Value
PID 0x7ec
Parent PID 0x4e4 (c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9FC
0x E80
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Program Files\Microsoft Office\root\VFS\SystemX86\vccorlib140.dll.locked 251.84 KB MD5: 91bc52836103cad9fff8a07ebb2ee39f
SHA1: 63813d16e3fb13d4dc9e4a7b4426b92cbe90ae08
SHA256: 18f6d6f9af33a476130f293058fb053f2702a547197dbc694dac2720ef3224aa
SSDeep: 6144:tGml8ZFf51mMjLpiXOLb4aGzQYSDc0d98alzUkFkm:tXl6ZPzcOwaGzRmfd98alzvd 		False
...
C:\Program Files\Microsoft Office\root\VFS\System\VEN2232.OLB.locked 51.75 KB MD5: dd5996e6424f5876b058cd1f326d77b0
SHA1: 8de7ff7413262b8e499231c054daa52e401f4fec
SHA256: d558485ddff586964f8ddeee04e0cad5e311d7bfb4555a1f96b330d833a08ae5
SSDeep: 1536:ZmUrvT16hgxxIehrYf+NHabQk7Bi0tV1uD:wUrbwOVeE0tSD 		False
...
C:\Program Files\Mozilla Firefox\browser\blocklist.xml.locked 273.75 KB MD5: 612f273ef5913769f7fb5d07971ed739
SHA1: 00eff021ee806c31c19366226bf5e54e0bd58c34
SHA256: 410af6b5b25bf5ab716958b3a0990d301674155eceb5a5497d3db0fc26e43764
SSDeep: 6144:gNt7ACqsK15sPd0Z5kMrvl8PQUwiUJi7++K2:OMCqp1WPOmel5UpUU7+I 		False
...
C:\Program Files\Mozilla Firefox\ucrtbase.dll.locked 973.83 KB MD5: 6b404b648fb671ff4ba0cfa008c92ad4
SHA1: 60d1ba77023cf5f04b48175860efb09214e32e8d
SHA256: 4eaa894f45658cd1ce508760d039608afbde1449cc5301f8cde882c73d63ce20
SSDeep: 24576:h2Yg9WoLfA36uCNrQ+J1UCB1Yb1sKUiYeNzyJ67GQ4:h/b+86uM0+J1UcYhs8yYI 		False
...
C:\Program Files\rempl\rempl.xml.locked 3.94 KB MD5: 252a596e8ac46861693bd57c12077651
SHA1: 85a0761ad5a282258e95e1942d09c72edca9ed43
SHA256: b0548d2562362d04787f1f7603240956025f2eedf2b6871b807f36ba534c59ec
SSDeep: 96:d3meNxuY4bsuQvV9nsLebvuzabc+cqIQwla:JtxuY4bspdtsLea2bTInla 		False
...
C:\Program Files\rempl\Logs\Remediation.001.etl.locked 128.14 KB MD5: d446b98dafe82e4e5242cc474d0eb2d0
SHA1: b975f4f5d111fe946c4e1291fca88fb56702fbe5
SHA256: f06176085f2df7c8b6747c4403826a3b0196cee34e1635eff4c53476772ce23c
SSDeep: 3072:qnbltcxSY4L+Zx6AGGI/WoqWZSZiSb5qqIQQl:CltA8+Zx6AGg0ZeipqItl 		False
...
C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ca-ES\toastreviewsettings.xml.locked 0.58 KB MD5: 939924c5d7082fd632e14bb0c3306eaa
SHA1: 17ee599ccad99479555d219b12c4759eedf73d45
SHA256: 28a9fdaa42e84e22becc7711ca08bb302f59fca82bbb63ab72a888e976ad07ac
SSDeep: 12:JOOCDEPJBWjUsoyMK5s1OtL82TLM3hSg/a5eLeCwBSR:J5PyjUfyi1OtI2H+hSiaAhESR 		False
...
C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\el-GR\index.html.locked 57.33 KB MD5: 185298aa051e0e86b4ec9fc6d5e9e67f
SHA1: c68a3e6add6f7cc4a9655305f6f70b7b28504a53
SHA256: 3d84d64f1c28e45b12a0956e21c8242aa167a2b0f0f76a4f754ebe55b9e21d7f
SSDeep: 1536:wYhB5Tn7Zw4W5cvtyAsSSdNwJC8OQYcXMOl:9B5TnlW5cvtXqNwJUQrMS 		False
...
Host Behavior
File (129)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Program Files\Microsoft Office\root\VFS\System\VEN2232.OLB type = file_attributes True 3
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\System\VEN2232.OLB.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\SystemX86\vccorlib140.dll type = file_attributes True 3
Fn
Get Info C:\Program Files\Microsoft Office\root\VFS\SystemX86\vccorlib140.dll.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\Mozilla Firefox\browser\blocklist.xml type = file_attributes True 3
Fn
Get Info C:\Program Files\Mozilla Firefox\browser\blocklist.xml.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\Mozilla Firefox\ucrtbase.dll type = file_attributes True 3
Fn
Get Info C:\Program Files\Mozilla Firefox\ucrtbase.dll.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\rempl\rempl.xml type = file_attributes True 3
Fn
Get Info C:\Program Files\rempl\rempl.xml.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\rempl\Logs\Remediation.001.etl type = file_attributes True 3
Fn
Get Info C:\Program Files\rempl\Logs\Remediation.001.etl.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ca-ES\toastreviewsettings.xml type = file_attributes True 3
Fn
Get Info C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ca-ES\toastreviewsettings.xml.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\el-GR\index.html type = file_attributes True 3
Fn
Get Info C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\el-GR\index.html.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-PH\toastreviewsettings.xml type = file_attributes True 3
Fn
Get Info C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-PH\toastreviewsettings.xml.locked type = file_attributes False 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Open \??\\C:\Program Files\Microsoft Office\root\VFS\System\VEN2232.OLB.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Program Files\Microsoft Office\root\VFS\SystemX86\vccorlib140.dll.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Program Files\Mozilla Firefox\browser\blocklist.xml.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Program Files\Mozilla Firefox\ucrtbase.dll.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Program Files\rempl\rempl.xml.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Program Files\rempl\Logs\Remediation.001.etl.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ca-ES\toastreviewsettings.xml.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\el-GR\index.html.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-PH\toastreviewsettings.xml.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open Mapping SM-zzbdrimp desired_access = FILE_MAP_COPY, FILE_MAP_WRITE True 1
Fn
Move C:\Program Files\Microsoft Office\root\VFS\System\VEN2232.OLB.locked source_filename = C:\Program Files\Microsoft Office\root\VFS\System\VEN2232.OLB, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\Microsoft Office\root\VFS\SystemX86\vccorlib140.dll.locked source_filename = C:\Program Files\Microsoft Office\root\VFS\SystemX86\vccorlib140.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\Mozilla Firefox\browser\blocklist.xml.locked source_filename = C:\Program Files\Mozilla Firefox\browser\blocklist.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\Mozilla Firefox\ucrtbase.dll.locked source_filename = C:\Program Files\Mozilla Firefox\ucrtbase.dll, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\rempl\rempl.xml.locked source_filename = C:\Program Files\rempl\rempl.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\rempl\Logs\Remediation.001.etl.locked source_filename = C:\Program Files\rempl\Logs\Remediation.001.etl, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ca-ES\toastreviewsettings.xml.locked source_filename = C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ca-ES\toastreviewsettings.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\el-GR\index.html.locked source_filename = C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\el-GR\index.html, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-PH\toastreviewsettings.xml.locked source_filename = C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-PH\toastreviewsettings.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Read \??\\C:\Program Files\Microsoft Office\root\VFS\System\VEN2232.OLB.locked size = 52840, size_out = 52840 True 1
Fn
Data
Read \??\\C:\Program Files\Microsoft Office\root\VFS\SystemX86\vccorlib140.dll.locked size = 65536, size_out = 65536 True 3
Fn
Data
Read \??\\C:\Program Files\Microsoft Office\root\VFS\SystemX86\vccorlib140.dll.locked size = 61128, size_out = 61128 True 1
Fn
Data
Read \??\\C:\Program Files\Mozilla Firefox\browser\blocklist.xml.locked size = 65536, size_out = 65536 True 4
Fn
Data
Read \??\\C:\Program Files\Mozilla Firefox\browser\blocklist.xml.locked size = 18025, size_out = 18025 True 1
Fn
Data
Read \??\\C:\Program Files\Mozilla Firefox\ucrtbase.dll.locked size = 65536, size_out = 65536 True 15
Fn
Data
Read \??\\C:\Program Files\Mozilla Firefox\ucrtbase.dll.locked size = 14016, size_out = 14016 True 1
Fn
Data
Read \??\\C:\Program Files\rempl\rempl.xml.locked size = 3884, size_out = 3884 True 1
Fn
Data
Read \??\\C:\Program Files\rempl\Logs\Remediation.001.etl.locked size = 65536, size_out = 65536 True 2
Fn
Data
Read \??\\C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ca-ES\toastreviewsettings.xml.locked size = 446, size_out = 446 True 1
Fn
Data
Read \??\\C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\el-GR\index.html.locked size = 58554, size_out = 58554 True 1
Fn
Data
Read \??\\C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-PH\toastreviewsettings.xml.locked size = 412 False 1
Fn
Write \??\\C:\Program Files\Microsoft Office\root\VFS\System\VEN2232.OLB.locked offset = 0, size = 52844 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\System\VEN2232.OLB.locked size = 144 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\SystemX86\vccorlib140.dll.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\SystemX86\vccorlib140.dll.locked offset = 65536, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\SystemX86\vccorlib140.dll.locked offset = 131072, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\SystemX86\vccorlib140.dll.locked offset = 196608, size = 61132 True 1
Fn
Data
Write \??\\C:\Program Files\Microsoft Office\root\VFS\SystemX86\vccorlib140.dll.locked size = 144 True 1
Fn
Data
Write \??\\C:\Program Files\Mozilla Firefox\browser\blocklist.xml.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Mozilla Firefox\browser\blocklist.xml.locked offset = 65536, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Mozilla Firefox\browser\blocklist.xml.locked offset = 131072, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Mozilla Firefox\browser\blocklist.xml.locked offset = 196608, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Mozilla Firefox\browser\blocklist.xml.locked offset = 262144, size = 18029 True 1
Fn
Data
Write \??\\C:\Program Files\Mozilla Firefox\browser\blocklist.xml.locked size = 144 True 1
Fn
Data
Write \??\\C:\Program Files\Mozilla Firefox\ucrtbase.dll.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Mozilla Firefox\ucrtbase.dll.locked offset = 65536, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Mozilla Firefox\ucrtbase.dll.locked offset = 131072, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Mozilla Firefox\ucrtbase.dll.locked offset = 196608, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Mozilla Firefox\ucrtbase.dll.locked offset = 262144, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Mozilla Firefox\ucrtbase.dll.locked offset = 327680, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Mozilla Firefox\ucrtbase.dll.locked offset = 393216, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Mozilla Firefox\ucrtbase.dll.locked offset = 458752, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Mozilla Firefox\ucrtbase.dll.locked offset = 524288, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Mozilla Firefox\ucrtbase.dll.locked offset = 589824, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Mozilla Firefox\ucrtbase.dll.locked offset = 655360, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Mozilla Firefox\ucrtbase.dll.locked offset = 720896, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Mozilla Firefox\ucrtbase.dll.locked offset = 786432, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Mozilla Firefox\ucrtbase.dll.locked offset = 851968, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Mozilla Firefox\ucrtbase.dll.locked offset = 917504, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\Mozilla Firefox\ucrtbase.dll.locked offset = 983040, size = 14020 True 1
Fn
Data
Write \??\\C:\Program Files\Mozilla Firefox\ucrtbase.dll.locked size = 144 True 1
Fn
Data
Write \??\\C:\Program Files\rempl\rempl.xml.locked offset = 0, size = 3888 True 1
Fn
Data
Write \??\\C:\Program Files\rempl\rempl.xml.locked size = 144 True 1
Fn
Data
Write \??\\C:\Program Files\rempl\Logs\Remediation.001.etl.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\rempl\Logs\Remediation.001.etl.locked offset = 65536, size = 65540 True 1
Fn
Data
Write \??\\C:\Program Files\rempl\Logs\Remediation.001.etl.locked size = 144 True 1
Fn
Data
Write \??\\C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ca-ES\toastreviewsettings.xml.locked offset = 0, size = 450 True 1
Fn
Data
Write \??\\C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ca-ES\toastreviewsettings.xml.locked size = 144 True 1
Fn
Data
Write \??\\C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\el-GR\index.html.locked offset = 0, size = 58558 True 1
Fn
Data
Write \??\\C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\el-GR\index.html.locked size = 144 True 1
Fn
Data
Module (75)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load Rstrtmgr.dll base_address = 0x744f0000 True 1
Fn
Load ntdll.dll base_address = 0x77bb0000 True 1
Fn
Load api-ms-win-core-sysinfo-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75e90000 True 3
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77bb0000 True 1
Fn
Get Filename - process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, file_name_orig = C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsAlloc, address_out = 0x74f9bea0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsSetValue, address_out = 0x74f92550 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = InitializeCriticalSectionEx, address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsGetValue, address_out = 0x74f870c0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f7ed00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75ea4ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75ea4b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75ea4b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75ea4b40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75efebc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitOnceExecuteOnce, address_out = 0x74f95550 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x75efeb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x75efeb90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x75efeb80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75ea6d30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x77bfd7c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x77bfb740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75ea6d70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x77bfc0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x77bfbe10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77c22b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77c152f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x75ea4510 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x74f9e260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75ea0db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleEx, address_out = 0x75ea43d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandle, address_out = 0x75eff110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x75eff1e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeConditionVariable, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WakeConditionVariable, address_out = 0x77c88c50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll address_out = 0x77c18a90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableCS, address_out = 0x7500fca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSRWLock, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AcquireSRWLockExclusive, address_out = 0x77bf58e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TryAcquireSRWLockExclusive, address_out = 0x77c72ce0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseSRWLockExclusive, address_out = 0x77bf83a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableSRW, address_out = 0x7500fcf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWork, address_out = 0x75ea6db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SubmitThreadpoolWork, address_out = 0x77bfeb00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWork, address_out = 0x77bfed50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x75ea7050 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x75ea7190 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x75ea7480 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateHardLinkW, address_out = 0x75ea44f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySection, address_out = 0x77c22220 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmStartSession, address_out = 0x744f7930 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmRegisterResources, address_out = 0x744f7660 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmGetList, address_out = 0x744f74f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtOpenFile, address_out = 0x77c22040 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtClose, address_out = 0x77c21de0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtReadFile, address_out = 0x77c21d50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtWriteFile, address_out = 0x77c21d70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitUnicodeString, address_out = 0x77c242f0 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x74f6b830 True 1
Fn
Map SM-zzbdrimp process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, desired_access = FILE_MAP_WRITE True 1
Fn
User (5)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
Lookup Privilege privilege = SeRestorePrivilege, luid = 18 True 1
Fn
Lookup Privilege privilege = SeLockMemoryPrivilege, luid = 4 True 1
Fn
Lookup Privilege privilege = SeCreateGlobalPrivilege, luid = 30 True 1
Fn
System (37)
»
Operation Additional Information Success Count Logfile
Get Time type = Performance Ctr, time = 31729282956 True 1
Fn
Get Time type = Performance Ctr, time = 31874876631 True 1
Fn
Get Time type = System Time True 17
Fn
Get Time type = Performance Ctr, time = 31894477619 True 1
Fn
Get Time type = Performance Ctr, time = 31939519184 True 1
Fn
Get Time type = Performance Ctr, time = 31964646140 True 1
Fn
Get Time type = Performance Ctr, time = 32028177211 True 1
Fn
Get Time type = Performance Ctr, time = 32036241198 True 1
Fn
Get Time type = Performance Ctr, time = 32146301273 True 1
Fn
Get Time type = Performance Ctr, time = 32255567594 True 1
Fn
Get Time type = Performance Ctr, time = 32422310026 True 1
Fn
Get Time type = Performance Ctr, time = 32446264255 True 1
Fn
Get Time type = Performance Ctr, time = 32609399686 True 1
Fn
Get Time type = Performance Ctr, time = 32633368394 True 1
Fn
Get Time type = Performance Ctr, time = 32768499806 True 1
Fn
Get Time type = Performance Ctr, time = 32769598752 True 1
Fn
Get Time type = Performance Ctr, time = 32900636495 True 1
Fn
Get Time type = Performance Ctr, time = 32922731954 True 1
Fn
Get Time type = Performance Ctr, time = 32975480622 True 1
Fn
Get Info type = Hardware Information True 2
Fn
Mutex (1514)
»
Operation Additional Information Success Count Logfile
Open mutex_name = MX-zzbdrimp, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Release mutex_name = MX-zzbdrimp True 1513
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Debug (9)
»
Operation Process Additional Information Success Count Logfile
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Program Files\Microsoft Office\root\VFS\System\VEN2232.OLB True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Program Files\Microsoft Office\root\VFS\SystemX86\vccorlib140.dll True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Program Files\Mozilla Firefox\browser\blocklist.xml True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Program Files\Mozilla Firefox\ucrtbase.dll True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Program Files\rempl\rempl.xml True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Program Files\rempl\Logs\Remediation.001.etl True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ca-ES\toastreviewsettings.xml True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\el-GR\index.html True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-PH\toastreviewsettings.xml True 1
Fn
Process #39: zzbdrimp5619.exe
1704 0
»
Information Value
ID #39
File Name c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe
Command Line C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:03:44, Reason: Child Process
Unmonitor End Time: 00:03:58, Reason: Terminated by Timeout
Monitor Duration 00:00:13
OS Process Information
»
Information Value
PID 0x570
Parent PID 0x4e4 (c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 8F4
0x F44
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi.locked 7.77 KB MD5: b857dc9bf3b06f523c1ef53ed7f4325d
SHA1: 2de640f58c41000623aead1aa859af8e376f290a
SHA256: 023ba95c5e9382c6d7e833467600a205c0557dbe5616e4d6026ad13830fd7696
SSDeep: 192:wbjEGMgMB/ojjRlIubpHGMFx32h15Z1lGbrSpf/qHT:2jXyB/ijnIubskkhjZLGbW6T 		False
...
C:\Program Files\Mozilla Firefox\browser\chrome.manifest.locked 0.14 KB MD5: 4f35228e68624384e78607293e19caee
SHA1: 72ea42cb4cd7c2a819aa15e186bd5a8676217280
SHA256: 8a46158ef80e24331f2cc08e02c6ad09982814a790f0203ef89effaa287df66f
SSDeep: 3:sdRJ//PWIOAiq5K6ErKRgoZQdCefXfpB33JnyB80d8ArzEGIn:uRJ5OhehRgBCAvpVJyBf8GEGIn 		False
...
C:\Program Files\Mozilla Firefox\freebl3.chk.locked 1.02 KB MD5: b0d2177749004ddd878a90b1b97cc33f
SHA1: cbf405febc581bb770c0144784a81168193ff396
SHA256: bb8af61cc7b77a2e6c5036241e8e3c66e4c0a4a380718159353fd67b79ed4d86
SSDeep: 24:gGWE34bnAURJly1uv6Pxkb8QPxTzrEv6po0n:gvK4jAnxVoEipo0n 		False
...
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets.locked 5.21 KB MD5: c4fa7be76d0db28ec7d5460a7b7fa4f6
SHA1: 1334fd61e30fa033583773ef2f14c86365b1fdcb
SHA256: 1aa9b332b9487ccb3bf9d316e7314dab61e739a1e2ee858e2f40f13e742b7694
SSDeep: 96:ccgcgnmK5AY6/F5UCpYiOjYsq/rrncASPRm2FjMVb1IKHeAOSov8B9wF5mIn:cnl6d5dWiOjYbrc9PRm2U1IKHiv865r 		False
...
C:\Program Files\rempl\remsh.exe.locked 404.15 KB MD5: 701c873d6986dc2a51dfb925ac53afe4
SHA1: fb93d3d3356c3d39e03eb66c7a5650b7905f6850
SHA256: f789a8f7a2224be0c32038b2659174d87fd20b77f8a280dfe500a09e32d27548
SSDeep: 12288:b9skxfyvUT3VserzN+WdjZIzz4tmlAir2qtUo2ZH10+:ucqSFseVi/N+ir2qtkZHy+ 		False
...
C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ca-ES\toastbeginupgradeth2.xml.locked 0.55 KB MD5: 077ce77055a7df78f7697bb18f1dff31
SHA1: 3dca90ae1f17a57267d18591c29b3efd3591d0e6
SHA256: 3c38e3931ee7e4c2883d882b44556a80a7336ce326c007656c11d82a9ce46392
SSDeep: 12:53oYoNAjkWRYl39TyU5mk0nKlaTlP1NiHgM6MyTlsLfYm9cXQ1it:5W/WU4pnKlaVjiHgMc+LfYccDt 		False
...
C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\el-GR\toastbeginupgradeth2.xml.locked 0.64 KB MD5: 00ef1bb8f6c0e4a9e1498b3a22ceceb9
SHA1: 65c134418b7615415872cee104004133af683678
SHA256: 0513dd9691c8d2ed1de3f3c46621ed595c1586a29f0dbea39ecfc7c5f79bfd8f
SSDeep: 12:Q4G5TI/baXyYvfqrbOVDvb1feyBYiAVL9VNhJlwjzgSyRKihbxkrj:CIWXyafAbOBvbcVRVNhrw5qZSrj 		False
...
Host Behavior
File (89)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi type = file_attributes True 3
Fn
Get Info C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\Mozilla Firefox\browser\chrome.manifest type = file_attributes True 3
Fn
Get Info C:\Program Files\Mozilla Firefox\browser\chrome.manifest.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\Mozilla Firefox\freebl3.chk type = file_attributes True 3
Fn
Get Info C:\Program Files\Mozilla Firefox\freebl3.chk.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets type = file_attributes True 3
Fn
Get Info C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\rempl\remsh.exe type = file_attributes True 3
Fn
Get Info C:\Program Files\rempl\remsh.exe.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\Reference Assemblies\spies_circus_courage.exe type = file_attributes True 3
Fn
Get Info C:\Program Files\Reference Assemblies\spies_circus_courage.exe.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ca-ES\toastbeginupgradeth2.xml type = file_attributes True 3
Fn
Get Info C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ca-ES\toastbeginupgradeth2.xml.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\el-GR\toastbeginupgradeth2.xml type = file_attributes True 3
Fn
Get Info C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\el-GR\toastbeginupgradeth2.xml.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-PH\toastbeginupgrade.xml type = file_attributes True 3
Fn
Get Info C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-PH\toastbeginupgrade.xml.locked type = file_attributes False 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Open \??\\C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Program Files\Mozilla Firefox\browser\chrome.manifest.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Program Files\Mozilla Firefox\freebl3.chk.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Program Files\rempl\remsh.exe.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Program Files\Reference Assemblies\spies_circus_courage.exe.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE False 1
Fn
Open \??\\C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ca-ES\toastbeginupgradeth2.xml.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\el-GR\toastbeginupgradeth2.xml.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-PH\toastbeginupgrade.xml.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open Mapping SM-zzbdrimp desired_access = FILE_MAP_COPY, FILE_MAP_WRITE True 1
Fn
Move C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi.locked source_filename = C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\Mozilla Firefox\browser\chrome.manifest.locked source_filename = C:\Program Files\Mozilla Firefox\browser\chrome.manifest, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\Mozilla Firefox\freebl3.chk.locked source_filename = C:\Program Files\Mozilla Firefox\freebl3.chk, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets.locked source_filename = C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\rempl\remsh.exe.locked source_filename = C:\Program Files\rempl\remsh.exe, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\Reference Assemblies\spies_circus_courage.exe.locked source_filename = C:\Program Files\Reference Assemblies\spies_circus_courage.exe, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ca-ES\toastbeginupgradeth2.xml.locked source_filename = C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ca-ES\toastbeginupgradeth2.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\el-GR\toastbeginupgradeth2.xml.locked source_filename = C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\el-GR\toastbeginupgradeth2.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-PH\toastbeginupgrade.xml.locked source_filename = C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-PH\toastbeginupgrade.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Read \??\\C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi.locked size = 7811, size_out = 7811 True 1
Fn
Data
Read \??\\C:\Program Files\Mozilla Firefox\freebl3.chk.locked size = 899, size_out = 899 True 1
Fn
Data
Read \??\\C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets.locked size = 5182, size_out = 5182 True 1
Fn
Data
Read \??\\C:\Program Files\rempl\remsh.exe.locked size = 65536, size_out = 65536 True 6
Fn
Data
Read \??\\C:\Program Files\rempl\remsh.exe.locked size = 20488, size_out = 20488 True 1
Fn
Data
Read \??\\C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ca-ES\toastbeginupgradeth2.xml.locked size = 419, size_out = 419 True 1
Fn
Data
Read \??\\C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\el-GR\toastbeginupgradeth2.xml.locked size = 505, size_out = 505 True 1
Fn
Data
Write \??\\C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi.locked offset = 0, size = 7815 True 1
Fn
Data
Write \??\\C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi.locked size = 144 True 1
Fn
Data
Write \??\\C:\Program Files\Mozilla Firefox\browser\chrome.manifest.locked size = 144 True 1
Fn
Data
Write \??\\C:\Program Files\Mozilla Firefox\freebl3.chk.locked offset = 0, size = 903 True 1
Fn
Data
Write \??\\C:\Program Files\Mozilla Firefox\freebl3.chk.locked size = 144 True 1
Fn
Data
Write \??\\C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets.locked offset = 0, size = 5186 True 1
Fn
Data
Write \??\\C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets.locked size = 144 True 1
Fn
Data
Write \??\\C:\Program Files\rempl\remsh.exe.locked offset = 0, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\rempl\remsh.exe.locked offset = 65536, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\rempl\remsh.exe.locked offset = 131072, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\rempl\remsh.exe.locked offset = 196608, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\rempl\remsh.exe.locked offset = 262144, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\rempl\remsh.exe.locked offset = 327680, size = 65536 True 1
Fn
Data
Write \??\\C:\Program Files\rempl\remsh.exe.locked offset = 393216, size = 20492 True 1
Fn
Data
Write \??\\C:\Program Files\rempl\remsh.exe.locked size = 144 True 1
Fn
Data
Write \??\\C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ca-ES\toastbeginupgradeth2.xml.locked offset = 0, size = 423 True 1
Fn
Data
Write \??\\C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ca-ES\toastbeginupgradeth2.xml.locked size = 144 True 1
Fn
Data
Write \??\\C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\el-GR\toastbeginupgradeth2.xml.locked offset = 0, size = 509 True 1
Fn
Data
Write \??\\C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\el-GR\toastbeginupgradeth2.xml.locked size = 144 True 1
Fn
Data
Process (1)
»
Operation Process Additional Information Success Count Logfile
Open c:\program files\reference assemblies\spies_circus_courage.exe desired_access = PROCESS_TERMINATE True 1
Fn
Module (75)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load Rstrtmgr.dll base_address = 0x744f0000 True 1
Fn
Load ntdll.dll base_address = 0x77bb0000 True 1
Fn
Load api-ms-win-core-sysinfo-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75e90000 True 3
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77bb0000 True 1
Fn
Get Filename - process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, file_name_orig = C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsAlloc, address_out = 0x74f9bea0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsSetValue, address_out = 0x74f92550 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = InitializeCriticalSectionEx, address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsGetValue, address_out = 0x74f870c0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f7ed00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75ea4ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75ea4b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75ea4b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75ea4b40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75efebc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitOnceExecuteOnce, address_out = 0x74f95550 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x75efeb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x75efeb90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x75efeb80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75ea6d30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x77bfd7c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x77bfb740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75ea6d70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x77bfc0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x77bfbe10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77c22b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77c152f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x75ea4510 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x74f9e260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75ea0db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleEx, address_out = 0x75ea43d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandle, address_out = 0x75eff110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x75eff1e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeConditionVariable, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WakeConditionVariable, address_out = 0x77c88c50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll address_out = 0x77c18a90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableCS, address_out = 0x7500fca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSRWLock, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AcquireSRWLockExclusive, address_out = 0x77bf58e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TryAcquireSRWLockExclusive, address_out = 0x77c72ce0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseSRWLockExclusive, address_out = 0x77bf83a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableSRW, address_out = 0x7500fcf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWork, address_out = 0x75ea6db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SubmitThreadpoolWork, address_out = 0x77bfeb00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWork, address_out = 0x77bfed50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x75ea7050 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x75ea7190 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x75ea7480 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateHardLinkW, address_out = 0x75ea44f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySection, address_out = 0x77c22220 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmStartSession, address_out = 0x744f7930 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmRegisterResources, address_out = 0x744f7660 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmGetList, address_out = 0x744f74f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtOpenFile, address_out = 0x77c22040 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtClose, address_out = 0x77c21de0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtReadFile, address_out = 0x77c21d50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtWriteFile, address_out = 0x77c21d70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitUnicodeString, address_out = 0x77c242f0 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x74f6b830 True 1
Fn
Map SM-zzbdrimp process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, desired_access = FILE_MAP_WRITE True 1
Fn
Service (2)
»
Operation Additional Information Success Count Logfile
Open database_name = SERVICES_ACTIVE_DATABASE False 1
Fn
Open Manager database_name = SERVICES_ACTIVE_DATABASE True 1
Fn
User (5)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
Lookup Privilege privilege = SeRestorePrivilege, luid = 18 True 1
Fn
Lookup Privilege privilege = SeLockMemoryPrivilege, luid = 4 True 1
Fn
Lookup Privilege privilege = SeCreateGlobalPrivilege, luid = 30 True 1
Fn
System (35)
»
Operation Additional Information Success Count Logfile
Get Time type = Performance Ctr, time = 31807735972 True 1
Fn
Get Time type = Performance Ctr, time = 31967734401 True 1
Fn
Get Time type = System Time True 16
Fn
Get Time type = Performance Ctr, time = 31979242954 True 1
Fn
Get Time type = Performance Ctr, time = 32024672174 True 1
Fn
Get Time type = Performance Ctr, time = 32025412843 True 1
Fn
Get Time type = Performance Ctr, time = 32079751413 True 1
Fn
Get Time type = Performance Ctr, time = 32139277575 True 1
Fn
Get Time type = Performance Ctr, time = 32295582567 True 1
Fn
Get Time type = Performance Ctr, time = 32313342032 True 1
Fn
Get Time type = Performance Ctr, time = 32399009444 True 1
Fn
Get Time type = Performance Ctr, time = 32426744800 True 1
Fn
Get Time type = Performance Ctr, time = 32776201782 True 1
Fn
Get Time type = Performance Ctr, time = 32831196464 True 1
Fn
Get Time type = Performance Ctr, time = 32842331681 True 1
Fn
Get Time type = Performance Ctr, time = 32917847345 True 1
Fn
Get Time type = Performance Ctr, time = 32924449351 True 1
Fn
Get Time type = Performance Ctr, time = 32971151752 True 1
Fn
Get Info type = Hardware Information True 2
Fn
Mutex (1471)
»
Operation Additional Information Success Count Logfile
Open mutex_name = MX-zzbdrimp, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Release mutex_name = MX-zzbdrimp True 1470
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Debug (8)
»
Operation Process Additional Information Success Count Logfile
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Program Files\Mozilla Firefox\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Program Files\Mozilla Firefox\browser\chrome.manifest True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Workflow.VisualBasic.Targets True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Program Files\rempl\remsh.exe True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Program Files\Reference Assemblies\spies_circus_courage.exe True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\ca-ES\toastbeginupgradeth2.xml True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\el-GR\toastbeginupgradeth2.xml True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-PH\toastbeginupgrade.xml True 1
Fn
Process #40: zzbdrimp5619.exe
381 0
»
Information Value
ID #40
File Name c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe
Command Line C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:03:55, Reason: Child Process
Unmonitor End Time: 00:03:58, Reason: Terminated by Timeout
Monitor Duration 00:00:02
OS Process Information
»
Information Value
PID 0xb6c
Parent PID 0x4e4 (c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x E64
0x C6C
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\el-GR\toastbeginupgrade.xml.locked 0.83 KB MD5: ac41d08bd01d9ceb3aca037db20b4a8e
SHA1: 53efcd02aa98d07d6bfe7e04a8bf15040b812055
SHA256: fcc61e548bce9e5e1a53a708867105c40deb9e1a85cb36676f7b2e4db0ae4ea9
SSDeep: 24:6fhoWkzk53AIHgxj8zdnEiFodji2FvdXAnPOCkAS:MFCk53Jm8p6FvdXNCkAS 		False
...
Host Behavior
File (20)
»
Operation Filename Additional Information Success Count Logfile
Get Info C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\el-GR\toastbeginupgrade.xml type = file_attributes True 3
Fn
Get Info C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\el-GR\toastbeginupgrade.xml.locked type = file_attributes False 1
Fn
Get Info C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-PH\toastbeginupgradeth2.xml type = file_attributes True 3
Fn
Get Info C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-PH\toastbeginupgradeth2.xml.locked type = file_attributes False 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 1
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Open \??\\C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\el-GR\toastbeginupgrade.xml.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open \??\\C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-PH\toastbeginupgradeth2.xml.locked desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, open_options = FILE_SYNCHRONOUS_IO_NONALERT, FILE_OPEN_FOR_BACKUP_INTENT, share_mode = FILE_SHARE_READ, FILE_SHARE_DELETE True 1
Fn
Open Mapping SM-zzbdrimp desired_access = FILE_MAP_COPY, FILE_MAP_WRITE True 1
Fn
Move C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\el-GR\toastbeginupgrade.xml.locked source_filename = C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\el-GR\toastbeginupgrade.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Move C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-PH\toastbeginupgradeth2.xml.locked source_filename = C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-PH\toastbeginupgradeth2.xml, flags = MOVEFILE_REPLACE_EXISTING, MOVEFILE_COPY_ALLOWED True 1
Fn
Read \??\\C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\el-GR\toastbeginupgrade.xml.locked size = 702, size_out = 702 True 1
Fn
Data
Read \??\\C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-PH\toastbeginupgradeth2.xml.locked size = 378 False 1
Fn
Write \??\\C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\el-GR\toastbeginupgrade.xml.locked offset = 0, size = 706 True 1
Fn
Data
Write \??\\C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\el-GR\toastbeginupgrade.xml.locked size = 144 True 1
Fn
Data
Module (75)
»
Operation Module Additional Information Success Count Logfile
Load api-ms-win-core-synch-l1-2-0 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-fibers-l1-1-1 base_address = 0x74ea0000 True 2
Fn
Load api-ms-win-core-localization-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Load Rstrtmgr.dll base_address = 0x744f0000 True 1
Fn
Load ntdll.dll base_address = 0x77bb0000 True 1
Fn
Load api-ms-win-core-sysinfo-l1-2-1 base_address = 0x74ea0000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x75e90000 True 3
Fn
Get Handle c:\windows\syswow64\ntdll.dll base_address = 0x77bb0000 True 1
Fn
Get Filename - process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, file_name_orig = C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsAlloc, address_out = 0x74f9bea0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsSetValue, address_out = 0x74f92550 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = InitializeCriticalSectionEx, address_out = 0x74f97060 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = FlsGetValue, address_out = 0x74f870c0 True 2
Fn
Get Address c:\windows\syswow64\kernelbase.dll address_out = 0x74f7ed00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x75ea4ae0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x75ea4b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x75ea4b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x75ea4b40 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x75efebc0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitOnceExecuteOnce, address_out = 0x74f95550 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateEventExW, address_out = 0x75efeb20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreW, address_out = 0x75efeb90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x75efeb80 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x75ea6d30 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x77bfd7c0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x77bfb840 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x77bfb740 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x75ea6d70 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x77bfc0b0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x77bfbe10 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77c22b20 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x77c18e50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x77c152f0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x75ea4510 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x74f9e260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount64, address_out = 0x75ea0db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileInformationByHandleEx, address_out = 0x75ea43d0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetFileInformationByHandle, address_out = 0x75eff110 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x75eff1e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeConditionVariable, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WakeConditionVariable, address_out = 0x77c88c50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll address_out = 0x77c18a90 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableCS, address_out = 0x7500fca0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeSRWLock, address_out = 0x77c13a00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = AcquireSRWLockExclusive, address_out = 0x77bf58e0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TryAcquireSRWLockExclusive, address_out = 0x77c72ce0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReleaseSRWLockExclusive, address_out = 0x77bf83a0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SleepConditionVariableSRW, address_out = 0x7500fcf0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWork, address_out = 0x75ea6db0 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SubmitThreadpoolWork, address_out = 0x77bfeb00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWork, address_out = 0x77bfed50 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x75ea7050 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x75ea7190 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x75ea7480 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateHardLinkW, address_out = 0x75ea44f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtQuerySection, address_out = 0x77c22220 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmStartSession, address_out = 0x744f7930 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmRegisterResources, address_out = 0x744f7660 True 1
Fn
Get Address c:\windows\syswow64\rstrtmgr.dll function = RmGetList, address_out = 0x744f74f0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtOpenFile, address_out = 0x77c22040 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtClose, address_out = 0x77c21de0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtReadFile, address_out = 0x77c21d50 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtWriteFile, address_out = 0x77c21d70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = RtlInitUnicodeString, address_out = 0x77c242f0 True 1
Fn
Get Address c:\windows\syswow64\kernelbase.dll function = GetSystemTimePreciseAsFileTime, address_out = 0x74f6b830 True 1
Fn
Map SM-zzbdrimp process_name = c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe, desired_access = FILE_MAP_WRITE True 1
Fn
User (5)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Lookup Privilege privilege = SeBackupPrivilege, luid = 17 True 1
Fn
Lookup Privilege privilege = SeRestorePrivilege, luid = 18 True 1
Fn
Lookup Privilege privilege = SeLockMemoryPrivilege, luid = 4 True 1
Fn
Lookup Privilege privilege = SeCreateGlobalPrivilege, luid = 30 True 1
Fn
System (9)
»
Operation Additional Information Success Count Logfile
Get Time type = Performance Ctr, time = 32824660106 True 1
Fn
Get Time type = Performance Ctr, time = 32892374752 True 1
Fn
Get Time type = System Time True 3
Fn
Get Time type = Performance Ctr, time = 32918912359 True 1
Fn
Get Time type = Performance Ctr, time = 32965886400 True 1
Fn
Get Info type = Hardware Information True 2
Fn
Mutex (259)
»
Operation Additional Information Success Count Logfile
Open mutex_name = MX-zzbdrimp, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Release mutex_name = MX-zzbdrimp True 258
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Debug (2)
»
Operation Process Additional Information Success Count Logfile
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\el-GR\toastbeginupgrade.xml True 1
Fn
Print c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe type = DEBUG_STRING, text = C:\Program Files\UNP\CampaignManager\Campaigns\{91be532c-f9f1-406a-9858-43697c6f437a}\Content1\en-PH\toastbeginupgradeth2.xml True 1
Fn
Process #41: zzbdrimp5619.exe
0 0
»
Information Value
ID #41
File Name c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe
Command Line C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:03:57, Reason: Child Process
Unmonitor End Time: 00:03:58, Reason: Terminated by Timeout
Monitor Duration 00:00:00
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xdd8
Parent PID 0x4e4 (c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9B0
Process #42: zzbdrimp5619.exe
0 0
»
Information Value
ID #42
File Name c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe
Command Line C:\Users\FD1HVy\AppData\Local\Temp\zzbdrimp5619.exe -i SM-zzbdrimp -s
Initial Working Directory C:\Users\FD1HVy\Desktop\
Monitor Start Time: 00:03:57, Reason: Child Process
Unmonitor End Time: 00:03:58, Reason: Terminated by Timeout
Monitor Duration 00:00:00
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0xed0
Parent PID 0x4e4 (c:\users\fd1hvy\appdata\local\temp\zzbdrimp5619.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username NQDPDE\FD1HVy
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs -
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image