VMRay Analyzer Report
Try VMRay Analyzer
Monitored Processes
Behavior Information - Grouped by Category
Process #1: lxqfwvdqlkd.exe
(Host: 1387, Network: 0)
+
Information Value
ID #1
File Name c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe"
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:20, Reason: Analysis Target
Unmonitor End Time: 00:05:21, Reason: Terminated by Timeout
Monitor Duration 00:05:01
OS Process Information
+
Information Value
PID 0x9f4
Parent PID 0x564 (c:\windows\explorer.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups
  • XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00010611 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 9F8
0x A08
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True True False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True True False
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True True False
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True True False
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000190000 0x00190000 0x00193fff Pagefile Backed Memory Readable True False False
private_0x00000000001a0000 0x001a0000 0x001affff Private Memory Readable, Writable True True False
pagefile_0x00000000001b0000 0x001b0000 0x001b6fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000001c0000 0x001c0000 0x001c1fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x00000000001d0000 0x001d0000 0x001d1fff Pagefile Backed Memory Readable True False False
msctf.dll.mui 0x001d0000 0x001d0fff Memory Mapped File Readable, Writable False False False
private_0x00000000001e0000 0x001e0000 0x0025ffff Private Memory Readable, Writable True True False
private_0x0000000000260000 0x00260000 0x0029ffff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x0039ffff Private Memory Readable, Writable True True False
pagefile_0x00000000003a0000 0x003a0000 0x003a1fff Pagefile Backed Memory Readable True False False
private_0x00000000003a0000 0x003a0000 0x003a8fff Private Memory Readable, Writable, Executable True True False
private_0x00000000003b0000 0x003b0000 0x003b0fff Private Memory Readable, Writable True True False
lxqfwvdqlkd.exe 0x00400000 0x00447fff Memory Mapped File Readable, Writable, Executable True True False
locale.nls 0x00450000 0x004b6fff Memory Mapped File Readable False False False
private_0x00000000004f0000 0x004f0000 0x0052ffff Private Memory Readable, Writable True True False
private_0x0000000000580000 0x00580000 0x0058ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000590000 0x00590000 0x00717fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000720000 0x00720000 0x008a0fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000008b0000 0x008b0000 0x01caffff Pagefile Backed Memory Readable True False False
private_0x0000000001cb0000 0x01cb0000 0x01d1ffff Private Memory Readable, Writable True True False
private_0x0000000001d70000 0x01d70000 0x01d7ffff Private Memory Readable, Writable True True False
private_0x0000000001d80000 0x01d80000 0x0217ffff Private Memory Readable, Writable True True False
sortdefault.nls 0x02180000 0x0244efff Memory Mapped File Readable False False False
private_0x0000000002450000 0x02450000 0x0254ffff Private Memory Readable, Writable True True False
private_0x0000000002450000 0x02450000 0x024fffff Private Memory Readable, Writable True True False
private_0x0000000002450000 0x02450000 0x024cffff Private Memory Readable, Writable True True False
private_0x00000000024f0000 0x024f0000 0x024fffff Private Memory Readable, Writable True True False
private_0x0000000002510000 0x02510000 0x0254ffff Private Memory Readable, Writable True True False
pagefile_0x0000000002550000 0x02550000 0x0262efff Pagefile Backed Memory Readable True False False
private_0x0000000002630000 0x02630000 0x0272ffff Private Memory Readable, Writable True True False
private_0x0000000002780000 0x02780000 0x0278ffff Private Memory Readable, Writable True True False
pagefile_0x0000000002790000 0x02790000 0x02b82fff Pagefile Backed Memory Readable True False False
staticcache.dat 0x02b90000 0x034bffff Memory Mapped File Readable False False False
private_0x00000000034c0000 0x034c0000 0x074bffff Private Memory Readable, Writable, Executable True False False
msvbvm60.dll 0x72940000 0x72a92fff Memory Mapped File Readable, Writable, Executable True False False
dwmapi.dll 0x73430000 0x73442fff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x738b0000 0x7392ffff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x73a70000 0x73acbfff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x73ad0000 0x73b0efff Memory Mapped File Readable, Writable, Executable False False False
wow64cpu.dll 0x73b40000 0x73b47fff Memory Mapped File Readable, Writable, Executable False False False
winspool.drv 0x74e60000 0x74eb0fff Memory Mapped File Readable, Writable, Executable False False False
sxs.dll 0x74ec0000 0x74f1efff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x750b0000 0x750bbfff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x750c0000 0x7511ffff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x75120000 0x7521ffff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x75240000 0x75258fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x75260000 0x7530bfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75320000 0x75365fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x753c0000 0x754affff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x754e0000 0x7556ffff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x75570000 0x756cbfff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x75790000 0x763d9fff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x763e0000 0x7646efff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x765b0000 0x766bffff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x76750000 0x76759fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x76760000 0x767fffff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x76a00000 0x76acbfff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x76ad0000 0x76b2ffff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x76b30000 0x76bccfff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x77100000 0x77156fff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000077160000 0x77160000 0x77259fff Private Memory Readable, Writable, Executable True True False
private_0x0000000077260000 0x77260000 0x7737efff Private Memory Readable, Writable, Executable True True False
ntdll.dll 0x77380000 0x77528fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77560000 0x776dffff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True True False
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True True False
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True True False
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True True False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True True False
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False
Host Behavior
File (6)
+
Operation Filename Additional Information Success Count Logfile
Get Info STD_INPUT_HANDLE type = file_type False 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type False 1
Fn
Get Info STD_ERROR_HANDLE type = file_type False 1
Fn
Open STD_INPUT_HANDLE True 1
Fn
Open STD_OUTPUT_HANDLE True 1
Fn
Open STD_ERROR_HANDLE True 1
Fn
Registry (2)
+
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors False 2
Fn
Process (1)
+
Operation Process Additional Information Success Count Logfile
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe os_pid = 0xa24, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE True 1
Fn
Thread (3)
+
Operation Process Additional Information Success Count Logfile
Get Context c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe os_tid = 0x9f8 True 1
Fn
Set Context c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe os_tid = 0x9f8 True 1
Fn
Resume c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe os_tid = 0x9f8 True 1
Fn
Memory (5)
+
Operation Process Additional Information Success Count Logfile
Allocate C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe address = 0x34c0004, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 55337240 True 1
Fn
Write C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe address = 0x400000, size = 512 True 1
Fn
Data
Write C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe address = 0x400000, size = 1 True 1
Fn
Data
Write C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe address = 0x401000, size = 141824 True 1
Fn
Data
Write C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe address = 0x7efde008, size = 4 True 1
Fn
Data
Module (158)
+
Operation Module Additional Information Success Count Logfile
Load OLEAUT32.DLL base_address = 0x763e0000 True 1
Fn
Load SXS.DLL base_address = 0x74ec0000 True 1
Fn
Load ADVAPI32.DLL base_address = 0x76760000 True 2
Fn
Load user32 base_address = 0x75120000 True 5
Fn
Load winspool.drv base_address = 0x74e60000 True 1
Fn
Load Msvbvm60.dll base_address = 0x72940000 True 1
Fn
Load kernel32 base_address = 0x765b0000 True 18
Fn
Load advapi32 base_address = 0x76760000 True 1
Fn
Load shell32 base_address = 0x75790000 True 1
Fn
Load ntdll base_address = 0x77560000 True 8
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x765b0000 True 2
Fn
Get Handle c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe base_address = 0x400000 True 1
Fn
Get Handle c:\windows\syswow64\oleaut32.dll base_address = 0x763e0000 True 1
Fn
Get Handle c:\windows\syswow64\ole32.dll base_address = 0x75570000 True 1
Fn
Get Handle c:\windows\syswow64\user32.dll base_address = 0x75120000 True 1
Fn
Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe, size = 260 True 3
Fn
Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe, file_name_orig = C:\Windows\system32\MSVBVM60.DLL, size = 260 True 3
Fn
Get Filename c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe, size = 260 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsTNT, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x765c5235 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = OleLoadPictureEx, address_out = 0x764470a1 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = DispCallFunc, address_out = 0x763f3dcf True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = LoadTypeLibEx, address_out = 0x763f07b7 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = UnRegisterTypeLib, address_out = 0x76411ca9 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = CreateTypeLib2, address_out = 0x763f8e70 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDateFromUdate, address_out = 0x763f7684 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarUdateFromDate, address_out = 0x763fcc98 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = GetAltMonthNames, address_out = 0x7642903a True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarNumFromParseNum, address_out = 0x763f6231 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarParseNumFromStr, address_out = 0x763f5fea True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecFromR4, address_out = 0x76403f94 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecFromR8, address_out = 0x76404e9e True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecFromDate, address_out = 0x7642db72 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecFromI4, address_out = 0x76412a8c True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecFromCy, address_out = 0x7642d737 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarR4FromDec, address_out = 0x7642e015 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = GetRecordInfoFromTypeInfo, address_out = 0x7642cc3d True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = GetRecordInfoFromGuids, address_out = 0x7642d1c4 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArrayGetRecordInfo, address_out = 0x7642d48c True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArraySetRecordInfo, address_out = 0x7642d4c6 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArrayGetIID, address_out = 0x7642d509 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArraySetIID, address_out = 0x763fe7bb True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArrayCopyData, address_out = 0x763fe496 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArrayAllocDescriptorEx, address_out = 0x763fddf1 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArrayCreateEx, address_out = 0x7642d53f True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarFormat, address_out = 0x76432055 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarFormatDateTime, address_out = 0x764320ea True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarFormatNumber, address_out = 0x76432151 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarFormatPercent, address_out = 0x764321f5 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarFormatCurrency, address_out = 0x76432288 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarWeekdayName, address_out = 0x76432335 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarMonthName, address_out = 0x764323d5 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarAdd, address_out = 0x76405934 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarAnd, address_out = 0x76405a98 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarCat, address_out = 0x764059b4 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDiv, address_out = 0x7645e405 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarEqv, address_out = 0x7645ef07 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarIdiv, address_out = 0x7645f00a True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarImp, address_out = 0x7645ef47 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarMod, address_out = 0x7645f15e True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarMul, address_out = 0x7645dbd4 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarOr, address_out = 0x7645ecfa True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarPow, address_out = 0x7645ea66 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarSub, address_out = 0x7645d332 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarXor, address_out = 0x7645ee2e True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarAbs, address_out = 0x7645ca11 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarFix, address_out = 0x7645cc5f True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarInt, address_out = 0x7645cde7 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarNeg, address_out = 0x7645c802 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarNot, address_out = 0x7645ec66 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarRound, address_out = 0x7645d155 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarCmp, address_out = 0x763fb0dc True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecAdd, address_out = 0x76415f3e True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecCmp, address_out = 0x76404fd0 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarBstrCat, address_out = 0x76400d2c True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarCyMulI4, address_out = 0x764159ed True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarBstrCmp, address_out = 0x763ef8b8 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoCreateInstanceEx, address_out = 0x755b9d4e True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CLSIDFromProgIDEx, address_out = 0x75580782 True 1
Fn
Get Address c:\windows\syswow64\sxs.dll function = SxsOleAut32MapIIDOrCLSIDToTypeLibrary, address_out = 0x74f07685 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetSystemMetrics, address_out = 0x75137d2f True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MonitorFromWindow, address_out = 0x75143150 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MonitorFromRect, address_out = 0x7515e7a0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MonitorFromPoint, address_out = 0x75145281 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = EnumDisplayMonitors, address_out = 0x7514451a True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetMonitorInfoA, address_out = 0x75144413 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CloseEventLog, address_out = 0x767677c3 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = SetAclInformation, address_out = 0x767a34e3 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CreateDialogIndirectParamA, address_out = 0x7514b029 True 1
Fn
Get Address c:\windows\syswow64\winspool.drv function = DeletePrintProcessorA, address_out = 0x74e68aff True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CreateWindowExA, address_out = 0x7513d22e True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ShowWindow, address_out = 0x75140dfb True 1
Fn
Get Address c:\windows\syswow64\msvbvm60.dll function = rtcDoEvents, address_out = 0x72a0e0f7 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = EnumWindows, address_out = 0x7513d1cf True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x765c1856 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x765c110c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x765c10ff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetErrorMode, address_out = 0x765c1b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x765c11a9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAllocEx, address_out = 0x765dd9b0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetCursorPos, address_out = 0x75141218 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExA, address_out = 0x76774907 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x765c1410 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteW, address_out = 0x757a3c71 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x765c1282 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x765c3f5c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x765dd802 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtectEx, address_out = 0x766445bf True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessW, address_out = 0x765c103d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTempPathW, address_out = 0x765dd4dc True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLongPathNameW, address_out = 0x765ca315 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSize, address_out = 0x765c196e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadFile, address_out = 0x765c3ed3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x765c5223 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtAllocateVirtualMemory, address_out = 0x7757fab0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtWriteVirtualMemory, address_out = 0x7757fe04 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtTerminateThread, address_out = 0x77580074 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtOpenEvent, address_out = 0x7757fe98 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtUnmapViewOfSection, address_out = 0x7757fc70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtGetContextThread, address_out = 0x77580c20 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtSetContextThread, address_out = 0x77581910 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtResumeThread, address_out = 0x77580058 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetExitCodeProcess, address_out = 0x765d174d True 1
Fn
Window (9)
+
Operation Window Name Additional Information Success Count Logfile
Create class_name = ThunderRT6Main, wndproc_parameter = 0 True 1
Fn
Create class_name = VBMsoStdCompMgr, wndproc_parameter = 0 True 1
Fn
Create class_name = VBFocusRT6, wndproc_parameter = 0 True 1
Fn
Create Southlander wndproc_parameter = 0 True 1
Fn
Create Southlander wndproc_parameter = 0 True 1
Fn
Create çSÌ¥’ËhєÃ7¯¸X ²B class_name = STATIC, wndproc_parameter = 0 True 1
Fn
Set Attribute class_name = VBMsoStdCompMgr, index = 0, new_long = 5185692 False 1
Fn
Set Attribute Southlander index = 18446744073709551600, new_long = 114229248 True 1
Fn
Set Attribute Southlander index = 18446744073709551596, new_long = 256 True 1
Fn
Keyboard (1)
+
Operation Additional Information Success Count Logfile
Get Info type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 True 1
Fn
System (1073)
+
Operation Additional Information Success Count Logfile
Get Cursor x_out = 431, y_out = 118 True 525
Fn
Get Cursor x_out = 1040, y_out = 843 True 1
Fn
Sleep duration = 0 milliseconds (0.000 seconds) True 3
Fn
Sleep duration = 2000 milliseconds (2.000 seconds) True 1
Fn
Sleep duration = 1 milliseconds (0.001 seconds) True 525
Fn
Get Time type = Ticks, time = 59529 True 3
Fn
Get Time type = Ticks, time = 59576 True 6
Fn
Get Time type = Ticks, time = 66066 True 1
Fn
Get Time type = Ticks, time = 74646 True 1
Fn
Get Time type = Ticks, time = 76658 True 1
Fn
Get Info type = Operating System True 3
Fn
Get Info type = Operating System False 2
Fn
Get Info type = Hardware Information True 1
Fn
Mutex (1)
+
Operation Additional Information Success Count Logfile
Create True 1
Fn
Environment (1)
+
Operation Additional Information Success Count Logfile
Get Environment String True 1
Fn
Data
Process #2: lxqfwvdqlkd.exe
(Host: 49, Network: 0)
+
Information Value
ID #2
File Name c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe"
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:51, Reason: Child Process
Unmonitor End Time: 00:05:21, Reason: Terminated by Timeout
Monitor Duration 00:04:30
OS Process Information
+
Information Value
PID 0xa24
Parent PID 0x9f4 (c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe)
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups
  • XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, OWNER)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00010611 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A28
0x A2C
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x0002ffff Private Memory Readable, Writable True True False
private_0x0000000000020000 0x00020000 0x0002ffff Private Memory Readable, Writable True True False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True True False
private_0x0000000000030000 0x00030000 0x0003dfff Private Memory Readable, Writable, Executable True True False
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True True False
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000190000 0x00190000 0x00193fff Pagefile Backed Memory Readable True False False
locale.nls 0x001a0000 0x00206fff Memory Mapped File Readable False False False
private_0x0000000000210000 0x00210000 0x0024ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000250000 0x00250000 0x00273fff Pagefile Backed Memory Readable, Writable, Executable True False False
private_0x0000000000280000 0x00280000 0x0028dfff Private Memory Readable, Writable, Executable True True False
imm32.dll 0x00290000 0x002adfff Memory Mapped File Readable False False False
private_0x0000000000290000 0x00290000 0x00290fff Private Memory Readable, Writable True True False
private_0x00000000002a0000 0x002a0000 0x002a0fff Private Memory Readable, Writable True True False
pagefile_0x00000000002b0000 0x002b0000 0x002d3fff Pagefile Backed Memory Readable, Writable, Executable True False False
pagefile_0x00000000002e0000 0x002e0000 0x002f3fff Pagefile Backed Memory Readable, Writable, Executable True False False
private_0x0000000000300000 0x00300000 0x0037ffff Private Memory Readable, Writable True True False
private_0x0000000000400000 0x00400000 0x00423fff Private Memory Readable, Writable, Executable True True False
private_0x0000000000430000 0x00430000 0x0052ffff Private Memory Readable, Writable True True False
private_0x0000000000590000 0x00590000 0x0068ffff Private Memory Readable, Writable True True False
private_0x0000000000690000 0x00690000 0x00810fff Private Memory Readable, Writable True True False
pagefile_0x0000000000690000 0x00690000 0x0071afff Pagefile Backed Memory Readable, Writable, Executable True False False
private_0x0000000000820000 0x00820000 0x00b22fff Private Memory Readable, Writable, Executable True True False
private_0x0000000000b30000 0x00b30000 0x00cdffff Private Memory Readable, Writable True True False
pagefile_0x0000000000b30000 0x00b30000 0x00cb7fff Pagefile Backed Memory Readable True False False
private_0x0000000000cd0000 0x00cd0000 0x00cdffff Private Memory Readable, Writable True True False
pagefile_0x0000000000ce0000 0x00ce0000 0x00e60fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000e70000 0x00e70000 0x0226ffff Pagefile Backed Memory Readable True False False
wow64win.dll 0x73a70000 0x73acbfff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x73ad0000 0x73b0efff Memory Mapped File Readable, Writable, Executable False False False
wow64cpu.dll 0x73b40000 0x73b47fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x750b0000 0x750bbfff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x750c0000 0x7511ffff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x75120000 0x7521ffff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x75240000 0x75258fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x75260000 0x7530bfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75320000 0x75365fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x753c0000 0x754affff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x754e0000 0x7556ffff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x765b0000 0x766bffff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x76750000 0x76759fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x76760000 0x767fffff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x76a00000 0x76acbfff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x76ad0000 0x76b2ffff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x76b30000 0x76bccfff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000077160000 0x77160000 0x77259fff Private Memory Readable, Writable, Executable True True False
private_0x0000000077260000 0x77260000 0x7737efff Private Memory Readable, Writable, Executable True True False
ntdll.dll 0x77380000 0x77528fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77560000 0x776dffff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True True False
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True True False
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True True False
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True True False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True True False
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Modify Memory #1: c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe 0x9f8 address = 0x400000, size = 512 True 1
Fn
Data
Modify Memory #1: c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe 0x9f8 address = 0x400000, size = 1 True 1
Fn
Data
Modify Memory #1: c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe 0x9f8 address = 0x401000, size = 141824 True 1
Fn
Data
Modify Memory #1: c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe 0x9f8 address = 0x7efde008, size = 4 True 1
Fn
Data
Modify Control Flow #1: c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe 0x9f8 os_tid = 0xa28, address = 0x775701c4 True 1
Fn
Host Behavior
File (10)
+
Operation Filename Additional Information Success Count Logfile
Create \??\C:\Windows\SysWOW64\ntdll.dll desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 2
Fn
Create \??\C:\Windows\SysWOW64\ntdll.dll desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create \??\C:\Windows\SysWOW64\msiexec.exe desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Get Info \??\C:\Windows\SysWOW64\ntdll.dll type = extended True 2
Fn
Get Info \??\C:\Windows\SysWOW64\ntdll.dll type = extended True 1
Fn
Get Info \??\C:\Windows\SysWOW64\msiexec.exe type = extended True 1
Fn
Read \??\C:\Windows\SysWOW64\ntdll.dll offset = 0, size = 1292096 True 1
Fn
Read \??\C:\Windows\SysWOW64\msiexec.exe offset = 0, size = 73216 True 1
Fn
Data
Process (6)
+
Operation Process Additional Information Success Count Logfile
Get Info c:\windows\explorer.exe type = PROCESS_WOW64_INFORMATION True 1
Fn
Get Info c:\windows\explorer.exe type = PROCESS_BASIC_INFORMATION True 1
Fn
Get Info c:\windows\syswow64\msiexec.exe type = PROCESS_BASIC_INFORMATION True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\syswow64\msiexec.exe desired_access = PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION True 1
Fn
Thread (8)
+
Operation Process Additional Information Success Count Logfile
Open c:\windows\explorer.exe os_tid = 0x568 True 1
Fn
Open c:\windows\syswow64\msiexec.exe os_tid = 0xa3c True 1
Fn
Suspend c:\windows\explorer.exe os_tid = 0x568 True 1
Fn
Get Context c:\windows\explorer.exe os_tid = 0x568 True 1
Fn
Queue APC c:\windows\explorer.exe os_tid = 0x568 True 1
Fn
Set Context c:\windows\explorer.exe os_tid = 0x568 True 1
Fn
Resume c:\windows\explorer.exe os_tid = 0x568 True 1
Fn
Resume c:\windows\syswow64\msiexec.exe os_tid = 0xa3c True 1
Fn
Memory (4)
+
Operation Process Additional Information Success Count Logfile
Read c:\windows\explorer.exe address = 0x7fffffdf000, size = 64 True 1
Fn
Data
Read c:\windows\explorer.exe address = 0x2e0b000, size = 680 True 1
Fn
Data
Read c:\windows\syswow64\msiexec.exe address = 0x7efde008, size = 4 True 1
Fn
Data
Read c:\windows\syswow64\msiexec.exe address = 0x9e0000, size = 81920 True 1
Fn
Data
Module (13)
+
Operation Module Additional Information Success Count Logfile
Load advapi32.dll base_address = 0x0 True 1
Fn
Load user32.dll base_address = 0x0 True 1
Fn
Create Mapping protection = PAGE_EXECUTE_READWRITE, maximum_size = 1633256 True 1
Fn
Create Mapping protection = PAGE_EXECUTE_READWRITE, maximum_size = 1631500 True 1
Fn
Create Mapping protection = PAGE_EXECUTE_READWRITE, maximum_size = 1633256 True 1
Fn
Create Mapping protection = PAGE_EXECUTE_READWRITE, maximum_size = 1633272 True 1
Fn
Map process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x250000 True 1
Fn
Map process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x690000 True 1
Fn
Map process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x2dc0000 True 1
Fn
Map process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x2b0000 True 1
Fn
Map process_name = c:\windows\syswow64\msiexec.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xd0000 True 1
Fn
Map process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x2e0000 True 1
Fn
Map process_name = c:\windows\syswow64\msiexec.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x9e0000 True 1
Fn
System (3)
+
Operation Additional Information Success Count Logfile
Sleep duration = 1630732 milliseconds (1630.732 seconds) True 1
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 2
Fn
Environment (1)
+
Operation Additional Information Success Count Logfile
Set Environment String name = L53886-W, value = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe, environment = 0 True 1
Fn
Debug (1)
+
Operation Process Additional Information Success Count Logfile
Check for Presence c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe True 1
Fn
Process #3: explorer.exe
(Host: 3, Network: 0)
+
Information Value
ID #3
File Name c:\windows\explorer.exe
Command Line C:\Windows\Explorer.EXE
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:52, Reason: Injection
Unmonitor End Time: 00:05:21, Reason: Terminated by Timeout
Monitor Duration 00:04:29
OS Process Information
+
Information Value
PID 0x564
Parent PID 0xffffffffffffffff (Unknown)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups
  • XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00010611 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 540
0x 5A4
0x 758
0x 774
0x 73C
0x 71C
0x 718
0x 704
0x 278
0x 6BC
0x 6EC
0x 480
0x 47C
0x 7D4
0x 7D0
0x 734
0x 6B0
0x 67C
0x 678
0x 674
0x 670
0x 66C
0x 660
0x 65C
0x 654
0x 630
0x 59C
0x 598
0x 594
0x 590
0x 58C
0x 570
0x 568
0x A7C
0x B10
0x B5C
0x B60
0x B88
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000020000 0x00020000 0x00021fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000040000 0x00040000 0x00041fff Pagefile Backed Memory Readable True False False
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory Readable, Writable True False False
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory Readable, Writable True True False
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory Readable, Writable True True False
pagefile_0x0000000000100000 0x00100000 0x00100fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000110000 0x00110000 0x0018ffff Private Memory Readable, Writable True True False
private_0x0000000000190000 0x00190000 0x001cffff Private Memory Readable, Writable True True False
pagefile_0x00000000001d0000 0x001d0000 0x001d1fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000001e0000 0x001e0000 0x001e0fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000001f0000 0x001f0000 0x001f1fff Pagefile Backed Memory Readable True False False
private_0x0000000000200000 0x00200000 0x00217fff Private Memory Readable, Writable True True False
pagefile_0x0000000000220000 0x00220000 0x00220fff Pagefile Backed Memory Readable True False False
private_0x0000000000230000 0x00230000 0x00230fff Private Memory Readable, Writable True True False
private_0x0000000000240000 0x00240000 0x0024ffff Private Memory Readable, Writable True True False
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory Readable, Writable True True False
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000450000 0x00450000 0x005d7fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000005e0000 0x005e0000 0x00760fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000770000 0x00770000 0x01b6ffff Pagefile Backed Memory Readable True False False
pagefile_0x0000000001b70000 0x01b70000 0x01f62fff Pagefile Backed Memory Readable True False False
private_0x0000000001f70000 0x01f70000 0x01f8bfff Private Memory Readable, Writable True True False
pagefile_0x0000000001f90000 0x01f90000 0x01f92fff Pagefile Backed Memory Readable True False False
private_0x0000000001fa0000 0x01fa0000 0x01fa4fff Private Memory Readable, Writable True True False
private_0x0000000001fb0000 0x01fb0000 0x01fbffff Private Memory Readable, Writable True True False
private_0x0000000001fc0000 0x01fc0000 0x01fc0fff Private Memory Readable, Writable True True False
private_0x0000000001fd0000 0x01fd0000 0x0204ffff Private Memory Readable, Writable True True False
private_0x0000000002050000 0x02050000 0x020cffff Private Memory Readable, Writable True True False
pagefile_0x00000000020d0000 0x020d0000 0x021aefff Pagefile Backed Memory Readable True False False
sortdefault.nls 0x021b0000 0x0247efff Memory Mapped File Readable False False False
pagefile_0x0000000002480000 0x02480000 0x02481fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000002490000 0x02490000 0x02491fff Pagefile Backed Memory Readable True False False
comctl32.dll.mui 0x024a0000 0x024a2fff Memory Mapped File Readable, Writable False False False
private_0x00000000024b0000 0x024b0000 0x024b0fff Private Memory Readable, Writable True True False
private_0x00000000024c0000 0x024c0000 0x024dbfff Private Memory Readable, Writable True True False
private_0x00000000024e0000 0x024e0000 0x024e0fff Private Memory Readable, Writable True True False
private_0x00000000024f0000 0x024f0000 0x0256ffff Private Memory Readable, Writable True True False
private_0x0000000002570000 0x02570000 0x02578fff Private Memory Readable, Writable True True False
private_0x0000000002580000 0x02580000 0x025dffff Private Memory Readable, Writable True True False
private_0x00000000025e0000 0x025e0000 0x0264bfff Private Memory Readable, Writable True True False
private_0x0000000002650000 0x02650000 0x0274ffff Private Memory Readable, Writable True True False
private_0x0000000002750000 0x02750000 0x0277ffff Private Memory Readable, Writable True True False
private_0x0000000002780000 0x02780000 0x0278ffff Private Memory True True False
private_0x0000000002790000 0x02790000 0x0279ffff Private Memory Readable, Writable True True False
private_0x00000000027a0000 0x027a0000 0x027affff Private Memory Readable, Writable True True False
private_0x00000000027b0000 0x027b0000 0x027bffff Private Memory Readable, Writable True True False
private_0x00000000027c0000 0x027c0000 0x027cffff Private Memory Readable, Writable True True False
private_0x00000000027d0000 0x027d0000 0x027dffff Private Memory Readable, Writable True True False
private_0x00000000027e0000 0x027e0000 0x027effff Private Memory Readable, Writable True True False
private_0x00000000027f0000 0x027f0000 0x027fffff Private Memory Readable, Writable True True False
private_0x0000000002800000 0x02800000 0x0280ffff Private Memory Readable, Writable True True False
private_0x0000000002810000 0x02810000 0x0281ffff Private Memory Readable, Writable True True False
private_0x0000000002820000 0x02820000 0x0282ffff Private Memory Readable, Writable True True False
private_0x0000000002830000 0x02830000 0x0292ffff Private Memory Readable, Writable True True False
pagefile_0x0000000002930000 0x02930000 0x02931fff Pagefile Backed Memory Readable True False False
private_0x0000000002940000 0x02940000 0x02940fff Private Memory Readable, Writable True True False
private_0x0000000002950000 0x02950000 0x02950fff Private Memory Readable, Writable True True False
private_0x0000000002960000 0x02960000 0x02967fff Private Memory Readable, Writable True True False
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000010.db 0x02970000 0x0299ffff Memory Mapped File Readable True False False
pagefile_0x00000000029a0000 0x029a0000 0x029a0fff Pagefile Backed Memory Readable, Writable True False False
cversions.2.db 0x029b0000 0x029b3fff Memory Mapped File Readable True False False
cversions.2.db 0x029c0000 0x029c3fff Memory Mapped File Readable True False False
pagefile_0x00000000029d0000 0x029d0000 0x029d1fff Pagefile Backed Memory Readable True False False
private_0x00000000029e0000 0x029e0000 0x029effff Private Memory Readable, Writable True True False
pagefile_0x00000000029f0000 0x029f0000 0x029f1fff Pagefile Backed Memory Readable True False False
private_0x0000000002a00000 0x02a00000 0x02a47fff Private Memory Readable, Writable True True False
private_0x0000000002a50000 0x02a50000 0x02a53fff Private Memory Readable, Writable True True False
pagefile_0x0000000002a60000 0x02a60000 0x02a61fff Pagefile Backed Memory Readable True False False
private_0x0000000002a70000 0x02a70000 0x02a73fff Private Memory Readable, Writable True True False
private_0x0000000002a80000 0x02a80000 0x02b7ffff Private Memory Readable, Writable True True False
private_0x0000000002b80000 0x02b80000 0x02c7ffff Private Memory Readable, Writable True True False
pagefile_0x0000000002c90000 0x02c90000 0x02c90fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000002ca0000 0x02ca0000 0x02ca1fff Pagefile Backed Memory Readable True False False
wininet.dll.mui 0x02cb0000 0x02cbcfff Memory Mapped File Readable, Writable False False False
index.dat 0x02cc0000 0x02cc7fff Memory Mapped File Readable, Writable True False False
index.dat 0x02cd0000 0x02cd3fff Memory Mapped File Readable, Writable True False False
index.dat 0x02ce0000 0x02ceffff Memory Mapped File Readable, Writable True False False
index.dat 0x02cf0000 0x02cfffff Memory Mapped File Readable, Writable True False False
pagefile_0x0000000002d00000 0x02d00000 0x02d00fff Pagefile Backed Memory Readable, Writable True False False
thumbcache_1024.db 0x02d90000 0x02d90fff Memory Mapped File Readable, Writable True False False
thumbcache_sr.db 0x02da0000 0x02da0fff Memory Mapped File Readable, Writable True False False
thumbcache_idx.db 0x02db0000 0x02db0fff Memory Mapped File Readable, Writable True False False
pagefile_0x0000000002dc0000 0x02dc0000 0x02e4afff Pagefile Backed Memory Readable, Writable, Executable True False False
pagefile_0x0000000002e80000 0x02e80000 0x031c2fff Pagefile Backed Memory Readable True False False
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db 0x031d0000 0x031fffff Memory Mapped File Readable True False False
private_0x0000000003200000 0x03200000 0x03200fff Private Memory Readable, Writable True True False
private_0x0000000003210000 0x03210000 0x03213fff Private Memory Readable, Writable True True False
private_0x0000000003220000 0x03220000 0x0329ffff Private Memory Readable, Writable True True False
private_0x00000000032a0000 0x032a0000 0x0331ffff Private Memory Readable, Writable True True False
private_0x0000000003320000 0x03320000 0x03320fff Private Memory Readable, Writable True True False
private_0x0000000003330000 0x03330000 0x033affff Private Memory Readable, Writable True True False
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db 0x033b0000 0x03415fff Memory Mapped File Readable True False False
private_0x0000000003420000 0x03420000 0x03420fff Private Memory Readable, Writable True True False
private_0x0000000003430000 0x03430000 0x034affff Private Memory Readable, Writable True True False
private_0x00000000034b0000 0x034b0000 0x034b0fff Private Memory Readable, Writable True True False
private_0x00000000034c0000 0x034c0000 0x034c0fff Private Memory Readable, Writable True True False
thumbcache_1024.db 0x034d0000 0x034d0fff Memory Mapped File Readable, Writable True False False
pagefile_0x00000000034e0000 0x034e0000 0x034e1fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000034f0000 0x034f0000 0x034f0fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000003500000 0x03500000 0x03501fff Pagefile Backed Memory Readable True False False
private_0x0000000003510000 0x03510000 0x03510fff Private Memory Readable, Writable True True False
private_0x0000000003520000 0x03520000 0x0359ffff Private Memory Readable, Writable True True False
staticcache.dat 0x035a0000 0x03ecffff Memory Mapped File Readable False False False
pagefile_0x0000000003ed0000 0x03ed0000 0x03ed1fff Pagefile Backed Memory Readable True False False
cversions.2.db 0x03ee0000 0x03ee3fff Memory Mapped File Readable True False False
private_0x0000000003ef0000 0x03ef0000 0x03ef0fff Private Memory Readable, Writable, Executable True True False
pagefile_0x0000000003f00000 0x03f00000 0x03f01fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000003f10000 0x03f10000 0x03f11fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000003f20000 0x03f20000 0x03f21fff Pagefile Backed Memory Readable True False False
private_0x0000000003f30000 0x03f30000 0x03f30fff Private Memory Readable, Writable True True False
private_0x0000000003f40000 0x03f40000 0x03f40fff Private Memory Readable, Writable True True False
private_0x0000000003f50000 0x03f50000 0x03f50fff Private Memory Readable, Writable True True False
private_0x0000000003f60000 0x03f60000 0x03fdffff Private Memory Readable, Writable True True False
private_0x0000000003fe0000 0x03fe0000 0x03fe0fff Private Memory Readable, Writable True True False
private_0x0000000003ff0000 0x03ff0000 0x03ff0fff Private Memory Readable, Writable True True False
private_0x0000000004000000 0x04000000 0x04000fff Private Memory Readable, Writable True True False
cversions.2.db 0x04010000 0x04013fff Memory Mapped File Readable True False False
{40fc8d7d-05ed-4feb-b03b-6c100659ef5c}.2.ver0x0000000000000001.db 0x04020000 0x04020fff Memory Mapped File Readable True False False
cversions.2.db 0x04030000 0x04033fff Memory Mapped File Readable True False False
private_0x0000000004040000 0x04040000 0x040bffff Private Memory Readable, Writable True True False
{3978ea0a-1c7e-4449-8ae1-e1265f039002}.2.ver0x0000000000000003.db 0x040c0000 0x040c0fff Memory Mapped File Readable True False False
cversions.2.db 0x040d0000 0x040d3fff Memory Mapped File Readable True False False
{4e36ea69-73d1-4458-9d16-50f8e31a69a0}.2.ver0x0000000000000001.db 0x040e0000 0x040e0fff Memory Mapped File Readable True False False
private_0x00000000040f0000 0x040f0000 0x040f0fff Private Memory Readable, Writable True True False
private_0x0000000004100000 0x04100000 0x04100fff Private Memory Readable, Writable True True False
private_0x0000000004110000 0x04110000 0x04110fff Private Memory Readable, Writable True True False
private_0x0000000004120000 0x04120000 0x04120fff Private Memory Readable, Writable True True False
pagefile_0x0000000004130000 0x04130000 0x04131fff Pagefile Backed Memory Readable True False False
private_0x0000000004140000 0x04140000 0x041bffff Private Memory Readable, Writable True True False
private_0x00000000041c0000 0x041c0000 0x0420ffff Private Memory Readable, Writable True True False
thumbcache_sr.db 0x04210000 0x04210fff Memory Mapped File Readable, Writable True False False
private_0x0000000004220000 0x04220000 0x0429ffff Private Memory Readable, Writable True True False
pagefile_0x00000000042a0000 0x042a0000 0x042a0fff Pagefile Backed Memory Readable True False False
wdmaud.drv.mui 0x042b0000 0x042b0fff Memory Mapped File Readable, Writable False False False
mmdevapi.dll.mui 0x042c0000 0x042c0fff Memory Mapped File Readable, Writable False False False
private_0x00000000042d0000 0x042d0000 0x042d1fff Private Memory Readable, Writable True True False
pagefile_0x00000000042e0000 0x042e0000 0x042e1fff Pagefile Backed Memory Readable True False False
oleaccrc.dll 0x042f0000 0x042f0fff Memory Mapped File Readable False False False
pagefile_0x0000000004300000 0x04300000 0x04301fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000004310000 0x04310000 0x04310fff Pagefile Backed Memory Readable, Writable True False False
thumbcache_idx.db 0x04320000 0x04320fff Memory Mapped File Readable, Writable True False False
private_0x0000000004330000 0x04330000 0x04362fff Private Memory Readable, Writable True True False
pagefile_0x0000000004370000 0x04370000 0x04370fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000004380000 0x04380000 0x04382fff Private Memory Readable, Writable True True False
private_0x0000000004390000 0x04390000 0x0440ffff Private Memory Readable, Writable True True False
private_0x0000000004410000 0x04410000 0x04410fff Private Memory Readable, Writable True True False
For performance reasons, the remaining 264 entries are omitted.
The remaining entries can be found in flog.txt.
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Modify Memory #2: c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe 0xa28 address = 0x2dc0000, size = 569344 True 1
Fn
Modify Control Flow #2: c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe 0xa28 os_tid = 0x568, address = 0x7 True 1
Fn
Modify Control Flow #2: c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe 0xa28 os_tid = 0x568, address = 0x2dd8ead True 1
Fn
Modify Memory #5: c:\windows\syswow64\msiexec.exe 0xa3c address = 0x9b50000, size = 5120000 True 1
Fn
Modify Memory #5: c:\windows\syswow64\msiexec.exe 0xa3c address = 0x2d10000, size = 466944 True 1
Fn
Modify Control Flow #5: c:\windows\syswow64\msiexec.exe 0xa3c os_tid = 0x568, address = 0xf True 1
Fn
Modify Control Flow #5: c:\windows\syswow64\msiexec.exe 0xa3c os_tid = 0x568, address = 0x2d26e96 True 1
Fn
Host Behavior
Process (2)
+
Operation Process Additional Information Success Count Logfile
Create C:\Windows\SysWOW64\autofmt.exe os_pid = 0x0, creation_flags = CREATE_SUSPENDED, CREATE_DETACHED_PROCESS, CREATE_NO_WINDOW, show_window = SW_HIDE False 1
Fn
Create C:\Windows\SysWOW64\msiexec.exe os_pid = 0xa38, creation_flags = CREATE_SUSPENDED, CREATE_DETACHED_PROCESS, CREATE_NO_WINDOW, show_window = SW_HIDE True 1
Fn
Mutex (1)
+
Operation Additional Information Success Count Logfile
Create mutex_name = S-1-5-21-3388679-13801793209033 True 1
Fn
Process #4: autofmt.exe'
+
Information Value
ID #4
File Name c:\windows\syswow64\autofmt.exe
Command Line "C:\Windows\SysWOW64\autofmt.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:57, Reason: Child Process
Unmonitor End Time: 00:05:21, Reason: Terminated by Timeout
Monitor Duration 00:04:24
Remarks No high level activity detected in monitored regions
OS Process Information
+
Information Value
PID 0xa30
Parent PID 0x564 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups
  • XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00010611 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A34
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True True False
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000000090000 0x00090000 0x000cffff Private Memory Readable, Writable True True False
private_0x0000000000200000 0x00200000 0x0023ffff Private Memory Readable, Writable True True False
autofmt.exe 0x00b80000 0x00c23fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77380000 0x77528fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77560000 0x776dffff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True True False
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True True False
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True True False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True True False
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False
Process #5: msiexec.exe
(Host: 462, Network: 0)
+
Information Value
ID #5
File Name c:\windows\syswow64\msiexec.exe
Command Line "C:\Windows\SysWOW64\msiexec.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:00:57, Reason: Child Process
Unmonitor End Time: 00:05:21, Reason: Terminated by Timeout
Monitor Duration 00:04:24
OS Process Information
+
Information Value
PID 0xa38
Parent PID 0x564 (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups
  • XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00010611 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A3C
0x A40
0x A78
0x B00
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory Readable True False False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True True False
pagefile_0x0000000000030000 0x00030000 0x00031fff Pagefile Backed Memory Readable, Writable True False False
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000060000 0x00060000 0x00061fff Pagefile Backed Memory Readable True False False
msiexec.exe.mui 0x00070000 0x00070fff Memory Mapped File Readable, Writable False False False
private_0x0000000000080000 0x00080000 0x00080fff Private Memory Readable, Writable True True False
private_0x0000000000090000 0x00090000 0x000cffff Private Memory Readable, Writable True True False
pagefile_0x00000000000d0000 0x000d0000 0x000f3fff Pagefile Backed Memory Readable, Writable, Executable True False False
private_0x0000000000100000 0x00100000 0x00100fff Private Memory Readable, Writable True True False
private_0x0000000000110000 0x00110000 0x0011ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000110000 0x00110000 0x00133fff Pagefile Backed Memory Readable, Writable, Executable True False False
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory Readable, Writable True True False
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory Readable, Writable True True False
private_0x0000000000140000 0x00140000 0x0014ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000150000 0x00150000 0x00150fff Pagefile Backed Memory Readable True False False
private_0x0000000000150000 0x00150000 0x00150fff Private Memory Readable, Writable True True False
private_0x0000000000160000 0x00160000 0x0019ffff Private Memory Readable, Writable True True False
private_0x00000000001a0000 0x001a0000 0x001c3fff Private Memory Readable, Writable True True False
pagefile_0x00000000001d0000 0x001d0000 0x001d0fff Pagefile Backed Memory Readable True False False
oleaccrc.dll 0x001e0000 0x001e0fff Memory Mapped File Readable False False False
private_0x00000000001e0000 0x001e0000 0x001e0fff Private Memory Readable, Writable True True False
private_0x00000000001f0000 0x001f0000 0x0026ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000270000 0x00270000 0x00271fff Pagefile Backed Memory Readable True False False
windowsshell.manifest 0x00280000 0x00280fff Memory Mapped File Readable False False False
pagefile_0x0000000000280000 0x00280000 0x00280fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000290000 0x00290000 0x00291fff Pagefile Backed Memory Readable True False False
index.dat 0x002a0000 0x002abfff Memory Mapped File Readable, Writable True True False
index.dat 0x002b0000 0x002b7fff Memory Mapped File Readable, Writable True True False
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory Readable, Writable True True False
locale.nls 0x003c0000 0x00426fff Memory Mapped File Readable False False False
private_0x0000000000430000 0x00430000 0x0046ffff Private Memory Readable, Writable True True False
private_0x0000000000470000 0x00470000 0x004affff Private Memory Readable, Writable True True False
index.dat 0x004b0000 0x004b7fff Memory Mapped File Readable, Writable True True False
private_0x00000000004c0000 0x004c0000 0x004c0fff Private Memory Readable, Writable True True False
private_0x00000000004e0000 0x004e0000 0x004effff Private Memory Readable, Writable True True False
pagefile_0x00000000004f0000 0x004f0000 0x00677fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000680000 0x00680000 0x00800fff Pagefile Backed Memory Readable True False False
private_0x0000000000810000 0x00810000 0x00874fff Private Memory Readable, Writable, Executable True True False
private_0x0000000000880000 0x00880000 0x008e4fff Private Memory Readable, Writable, Executable True True False
pagefile_0x00000000008f0000 0x008f0000 0x009cefff Pagefile Backed Memory Readable True False False
msiexec.exe 0x009e0000 0x009f3fff Memory Mapped File Readable, Writable, Executable True False False
pagefile_0x00000000009e0000 0x009e0000 0x009f3fff Pagefile Backed Memory Readable, Writable, Executable True False False
pagefile_0x0000000000a00000 0x00a00000 0x01dfffff Pagefile Backed Memory Readable True False False
private_0x0000000001e00000 0x01e00000 0x01f80fff Private Memory Readable, Writable True True False
private_0x0000000001e00000 0x01e00000 0x01efafff Private Memory Readable, Writable True True False
index.dat 0x01f00000 0x01f3ffff Memory Mapped File Readable, Writable True True False
pagefile_0x0000000001f40000 0x01f40000 0x01f83fff Pagefile Backed Memory Readable, Writable, Executable True False False
private_0x0000000001f90000 0x01f90000 0x02292fff Private Memory Readable, Writable, Executable True True False
pagefile_0x00000000022a0000 0x022a0000 0x02781fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000002790000 0x02790000 0x02984fff Private Memory Readable, Writable True True False
private_0x00000000027d0000 0x027d0000 0x0280ffff Private Memory Readable, Writable True True False
private_0x0000000002810000 0x02810000 0x0284ffff Private Memory Readable, Writable True True False
private_0x0000000002850000 0x02850000 0x0292ffff Private Memory Readable, Writable True True False
pagefile_0x0000000002850000 0x02850000 0x028c1fff Pagefile Backed Memory Readable, Writable, Executable True False False
pagefile_0x0000000002850000 0x02850000 0x028dafff Pagefile Backed Memory Readable, Writable, Executable True False False
private_0x00000000028a0000 0x028a0000 0x028dffff Private Memory Readable, Writable True True False
private_0x0000000002920000 0x02920000 0x0292ffff Private Memory Readable, Writable True True False
private_0x0000000002940000 0x02940000 0x0297ffff Private Memory Readable, Writable True True False
private_0x0000000002980000 0x02980000 0x02a7ffff Private Memory Readable, Writable True True False
private_0x0000000002990000 0x02990000 0x02b9ffff Private Memory Readable, Writable True True False
sortdefault.nls 0x02ba0000 0x02e6efff Memory Mapped File Readable False False False
pagefile_0x0000000002e70000 0x02e70000 0x031b2fff Pagefile Backed Memory Readable True False False
private_0x00000000031c0000 0x031c0000 0x036b1fff Private Memory Readable, Writable True True False
uxtheme.dll 0x738b0000 0x7392ffff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x73a70000 0x73acbfff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x73ad0000 0x73b0efff Memory Mapped File Readable, Writable, Executable False False False
wow64cpu.dll 0x73b40000 0x73b47fff Memory Mapped File Readable, Writable, Executable False False False
ieframe.dll 0x73e80000 0x748fffff Memory Mapped File Readable, Writable, Executable False False False
windowscodecs.dll 0x74800000 0x748fafff Memory Mapped File Readable, Writable, Executable False False False
msvcr100.dll 0x74840000 0x748fefff Memory Mapped File Readable, Writable, Executable False False False
msi.dll 0x74900000 0x74b3ffff Memory Mapped File Readable, Writable, Executable False False False
wsock32.dll 0x74b80000 0x74b86fff Memory Mapped File Readable, Writable, Executable False False False
nss3.dll 0x74b90000 0x74d44fff Memory Mapped File Readable, Writable, Executable False False False
gdiplus.dll 0x74bc0000 0x74d4ffff Memory Mapped File Readable, Writable, Executable False False False
version.dll 0x74d50000 0x74d58fff Memory Mapped File Readable, Writable, Executable False False False
ntmarta.dll 0x74d60000 0x74d80fff Memory Mapped File Readable, Writable, Executable False False False
profapi.dll 0x74d90000 0x74d9afff Memory Mapped File Readable, Writable, Executable False False False
mlang.dll 0x74da0000 0x74dcdfff Memory Mapped File Readable, Writable, Executable False False False
comctl32.dll 0x74dd0000 0x74f6dfff Memory Mapped File Readable, Writable, Executable False False False
oleacc.dll 0x74f70000 0x74fabfff Memory Mapped File Readable, Writable, Executable False False False
winmm.dll 0x74f70000 0x74fa1fff Memory Mapped File Readable, Writable, Executable False False False
vaultcli.dll 0x74fa0000 0x74fabfff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x750b0000 0x750bbfff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x750c0000 0x7511ffff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x75120000 0x7521ffff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x75240000 0x75258fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x75260000 0x7530bfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75320000 0x75365fff Memory Mapped File Readable, Writable, Executable False False False
psapi.dll 0x75370000 0x75374fff Memory Mapped File Readable, Writable, Executable False False False
ws2_32.dll 0x75380000 0x753b4fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x753c0000 0x754affff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x754e0000 0x7556ffff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x75570000 0x756cbfff Memory Mapped File Readable, Writable, Executable False False False
clbcatq.dll 0x756d0000 0x75752fff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x75790000 0x763d9fff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x763e0000 0x7646efff Memory Mapped File Readable, Writable, Executable False False False
urlmon.dll 0x76470000 0x765a5fff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x765b0000 0x766bffff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x76750000 0x76759fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x76760000 0x767fffff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x768e0000 0x769fcfff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x76a00000 0x76acbfff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x76ad0000 0x76b2ffff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x76b30000 0x76bccfff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x76bd0000 0x76bd5fff Memory Mapped File Readable, Writable, Executable False False False
wininet.dll 0x76be0000 0x76cd4fff Memory Mapped File Readable, Writable, Executable False False False
wldap32.dll 0x76ce0000 0x76d24fff Memory Mapped File Readable, Writable, Executable False False False
iertutil.dll 0x76d30000 0x76f2afff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x77100000 0x77156fff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000077160000 0x77160000 0x77259fff Private Memory Readable, Writable, Executable True True False
private_0x0000000077260000 0x77260000 0x7737efff Private Memory Readable, Writable, Executable True True False
ntdll.dll 0x77380000 0x77528fff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x77530000 0x7753bfff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77560000 0x776dffff Memory Mapped File Readable, Writable, Executable False False False
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True True False
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True True False
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True True False
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True True False
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True True False
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True True False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True True False
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Modify Memory #2: c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe 0xa28 address = 0xd0000, size = 147456 True 1
Fn
Modify Memory #2: c:\users\5p5nrgjn0js halpmcxz\desktop\lxqfwvdqlkd.exe 0xa28 address = 0x9e0000, size = 81920 True 1
Fn
Created Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-log.ini 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 0.04 KB (40 bytes) MD5: e03f207a7b9cfc4d877ed2ec64be028e
SHA1: 8990d4c5b8a881e0a1593040564a9a6dc5664695
SHA256: b17183098b6e349844a3151456edf62c8e41b2348d2445a610c0ff1e29963067
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 0.05 KB (52 bytes) MD5: 3672ebfa59687d457ddb10f2e7102c2c
SHA1: c5b5cb23a8044e72d8fd2a11da9f9e31875bba12
SHA256: 615a7fb6e9f70b09f6f6432a04976a0c4dd80b5c306ce9b7c739c956532c7844
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 0.13 KB (134 bytes) MD5: b7a3da82c959d15ee79789cec957a60e
SHA1: 2bd9b7aef5b39760910267a3889aac9596903791
SHA256: 3e631a63bac92f8b974308fa32979d897b81ee2b7817f434610688a24409158c
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 0.15 KB (152 bytes) MD5: 6a2d8fd600948cefea9c615af9607bd5
SHA1: c0905d8beea8bd1f6f7d93f2f06accfdbf1bb926
SHA256: 8a8a84891ecb2032320d1c0de99fdcd94100df10f352d9f96fd1b2433cd4d45b
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 0.17 KB (174 bytes) MD5: 233a53208d340e4cea645966add202b0
SHA1: a4d36a34a7dae50bb02d5084ebec85000296a7bf
SHA256: f17e469a6ad909a00b009746e5811e22d824fdc47ec46b1e48a978cd21facf9e
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 0.19 KB (198 bytes) MD5: 60d1c5f03099a3e32a0050b4c97bbef0
SHA1: 758ab13d05b0a9e0526735488aebc01219c9414e
SHA256: 5e90a79c7f44e006b995017f333598dc97604b0c766491ee58b78455a80de64f
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 0.21 KB (218 bytes) MD5: f3f00bc27996cc860965a80e6e27c852
SHA1: 47f6ebba74f29ca1381bbeb650b4580a05db9a26
SHA256: 349086d403f89de8b5367764e430f3cb67be549a9530acf21615107f7450e189
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 0.24 KB (244 bytes) MD5: 387291d8f8cf62962d0a9c88210ce229
SHA1: b8b4f8ca64b14bec960c05400f807e38b84563c3
SHA256: 004e824fb332feca2f6aae0ed679ce332f8e5b7f54ea80beda3bbc169d6b3f80
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 0.25 KB (260 bytes) MD5: 68f8d46ce87d14b7c5b4c52480454508
SHA1: 5e7cf1f4ece04213f9ca286d7d521d74110acde2
SHA256: d55f9ae48dc78005327df61db9ef38e6c7dfff19e115a9c95d2216f4ac4d24ef
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 0.28 KB (288 bytes) MD5: cb2b5b68fa992705f34929b00152114e
SHA1: 488b34f1faca18fb4197cda0376b851e07245d4b
SHA256: 76657280e3f76e9811406039e6bc6274d11fb18f23bda254ac03a4a5052e5115
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 0.29 KB (294 bytes) MD5: afc677e666c2b22bd89873efa77d1b85
SHA1: fa1605aea591834f8f4a70e2b1cd0a634d34ed02
SHA256: 979a48c1a001aabd397299d849d3d419a77923f7741c3d1e3fcc96fd002051fa
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 0.31 KB (320 bytes) MD5: 5c53b1d7a983d080503dc90492873bd3
SHA1: 15a3880766426885512c2a44a994374474afde21
SHA256: 1c29fbf1abdbbc9dad2c501894642e73ecb2e68c07147a6534b22f865cebaad4
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 0.36 KB (364 bytes) MD5: 3c41fcdae69f4f34de48dc8a9f1f2578
SHA1: d1cd65c9bd2bf9278ecc3c187e0d39bf5e58282d
SHA256: 9c171d39ce6458556cf95d981e77ce60c46f35239854d4f7543460b6a9ebbbc9
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 0.39 KB (396 bytes) MD5: fa663a4348bdb40c1304eda0fdbc2f96
SHA1: 390f3f5c8a711862b0650b7a807e424b8df6ce69
SHA256: 19e559af58b93be54d61a5260d0bf850df87169f56a8ecac1c57f31ad73d68c1
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 0.41 KB (416 bytes) MD5: 4c4e1859c51d30d559d71f4b1f2dc71e
SHA1: 8f7fdb94a1d33cb85a60ccb837229df733238664
SHA256: 8ee29a21c448893b369cd7ca4c15f6b7c08489baf22226501f9223afd18b7c9b
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 0.41 KB (420 bytes) MD5: a6acf7cd1de9e3a55eced78a5d693f54
SHA1: 223b354b5481e0fa444a809c631787a471081a85
SHA256: 5c8d1c7de953da3e892a320bcd4622a5b3029f0eb62d49ae228c8e16d0deb1d1
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 0.42 KB (432 bytes) MD5: f6e0d72b37c594e479d083b196c34e74
SHA1: 06f6597d49cf98c03337ee56857fc4844cb9a9d8
SHA256: 1a92628c6fb31e224dbd2b6a921f20c28face152f9ee29892797ef5e5d20760d
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 0.50 KB (514 bytes) MD5: b5f88e92df9a151bfe714e384b4ee82b
SHA1: 602335adc86b8d317ce5464790090851bda31c2e
SHA256: c0e15ec77b7cc67c5b32f7fc9442c104363f10cebdcc7c93dff0bacaf2347aad
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 0.52 KB (532 bytes) MD5: b0a7a765267a92ca9073293194f8fa04
SHA1: 94841c52d4fbd549453bddee181640033b2bced9
SHA256: f9c1834491ddc17978263d1dc2203e3c56c4072cbbf060808d437b945bb7119d
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 0.54 KB (554 bytes) MD5: b77ea909bc6ba1bab67fd00f78ddee98
SHA1: 4c2dd01791f70d93b1fda434779f1a07d8633f36
SHA256: dd7f2d1a8b4a1735ac1689dbd8cb47c7351caa516852eff182ecee45609f2810
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 0.56 KB (578 bytes) MD5: b1949a0cf0a1a31bca934f23a3475a81
SHA1: 7601c447f0c74a1c5f23f836f5812df65c9fa912
SHA256: 6355c163ef6b0d4da7e2d2aed2ad67700ab80d2d23be0240212a06dbe8e82d78
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 0.58 KB (598 bytes) MD5: 5e0a244aae44537c87c0be09d6f73f28
SHA1: 53481b8eef6c6bbba3ba9d9657fba916634b5d6e
SHA256: ced0ce1a6dd709918e6bbe0e8203b0d7976a4d42a0d70d5d8e42fe9f11077ec9
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 0.61 KB (624 bytes) MD5: 207cfbe270ccebc28bc1ed379c64cc3f
SHA1: 34e4d78eaffb97cbb94b98e62a0208c21710c19f
SHA256: 1d37b75172e154dfe675bff7ac11392aded28970b5909422da13adc78c9523f0
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 0.63 KB (642 bytes) MD5: b6b66d74f9e3a0efd10fde6bbbbad9e4
SHA1: 50e0b8a80d8d57f9dfb90eeb3a9801faa0dcae60
SHA256: 82356c515e15491d7ed313c5399bca714c2963b846291e98a6271ea6256bf82c
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 0.65 KB (670 bytes) MD5: fb4a327e5743c5ec43a2c5b00c3257f0
SHA1: df35bb9a9a7be55b9127271d54be04ce15f3fb71
SHA256: 33e24a9503300a5da2ce23d7bb110bdb4a3a1cae383823b2b6709379e519d97b
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 0.66 KB (676 bytes) MD5: c1de83374368343f829ece5ee257e230
SHA1: dd3033e2ab2ae03f86eb355277c88ec093b1fc4c
SHA256: 9ada92c22a174a53d8eef170960b70b318f936fba534c888899ccc4f02bc56e5
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 0.69 KB (702 bytes) MD5: bc9f5bcde37ce92051ee205e22262430
SHA1: 23fd3466a93c8c295099e2c5d63c2649d81c86db
SHA256: ad9734138695371c8c167d40a4902baa8bd83b6cc20d3373887c362af5eb57be
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 0.73 KB (748 bytes) MD5: e76af655870fbc28e5a45d414fba3648
SHA1: ed46a977ce34757ce614a1e5d734d44abafc7eac
SHA256: 0c1e7dc44dbc711926402ba3aef75610adf597d8369abc9b1ad73b5f3716f31b
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 0.76 KB (780 bytes) MD5: 7a861320fbc167bc5f1fa8e832ded70a
SHA1: 310c2ede201aec126502a2d96a25fc66e74fd577
SHA256: 0110666716db6db6e5380f4bbc87fc6547e2843694b556a4a3cd71d8a439e1bb
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 0.78 KB (800 bytes) MD5: 9eb2256b33702234676987d214e88b2e
SHA1: d39905d1acc6292a2c3e8a462d1dfe69584dc195
SHA256: 5da76375758cba487fdaca822002bffd0fd564cb70a564c13f028b2afe5301d5
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 0.79 KB (804 bytes) MD5: 26d5eb07c83c4476d0b85375c2012447
SHA1: 43ac2342a7261601d4df866cc724d20d84ccb13f
SHA256: 0bb7f9b2b182106196a1cbf6fb304ccfe7064b11b22eb513ef5e76ceb13791f6
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 0.80 KB (816 bytes) MD5: bdb2423f1acd37d9d478799b93ef11ea
SHA1: 91eecc293ae0164e7a08dc542ff9baeb84f526b4
SHA256: d89d77c2e14c7aa96fe519e84ba311d88f93dd29e7789a65b796c4f58e59c359
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 0.88 KB (898 bytes) MD5: ac35467b24f8bd344f4889681d94a5c4
SHA1: a8b9fc6666f7be80173d3739d0cabf8a68b0f8bc
SHA256: 6ceb8fc71c3c02b8a575a67e2020f91df4f9203435081c8e5c570be610f83393
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 0.89 KB (916 bytes) MD5: a366a82e64918a7b9e95256ed23ac3e4
SHA1: 88bbd33f6de0e34d0d496572cd0fe404671540ce
SHA256: 098f9a30e2d1f0ffd906f449ab33357e3cd9c4c49f361e46a6be4c760603c1a0
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 0.92 KB (940 bytes) MD5: 6bb5156fe2fb4f08e6559472ef09c1fb
SHA1: f7658e51e6954ec7b7f3c4085035ca09b603992c
SHA256: 0d7756b24c7dd2db36d30f9a3a0452d274fbb06ef898336ebbaedaa604f29727
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 0.94 KB (966 bytes) MD5: b4e556d6ca58e884897fdd1b26c77e2a
SHA1: 0248df8d4e8da9471f7018335af30c0467c1cedc
SHA256: 2bff75ffcd02b862bc407ff5324c1ab914a9e011b76152b12e5418d96fc22338
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 0.98 KB (1008 bytes) MD5: 5f85bf73e36d0191969f526f5e29b8e1
SHA1: e5219c7693b0b717ea10493abef359101e70f975
SHA256: 9d663f8b419778d8f2f967eeab1745684dda8d801d257013124a0b6502fe901f
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 1.01 KB (1034 bytes) MD5: 7bde472399a8956232e418f66e0ba0b1
SHA1: 82d085e9b10812c3792b0056ed52245eb6739c6c
SHA256: 5214e665cfb56d9a552bc953e2b681917a4c11d1779862a78ae1d2abe9ee2f1d
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 1.03 KB (1054 bytes) MD5: 163318534d6b1d8bcfb1920a72285b81
SHA1: 88c0d6ed71e660e65bec0a13637608fffdaeb4c0
SHA256: 89d6281199a2684a1beaa66aa10b25f46c797d9ebc1b87f0551f249455b7adfc
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 1.04 KB (1066 bytes) MD5: 2260878b67f481ea46f1241273651738
SHA1: 31c2c555795a7bff8205d20c25338ac5dd89b8e0
SHA256: f9de24d0f1ae15fde5a1d1c924bf45d43e6462456ac8b48001d0d11d32d3203c
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 1.08 KB (1108 bytes) MD5: 9eb3a64bbb13cbea45a81cd6332d0bfe
SHA1: a96793e00119deb5cb8661a6c3507413b4d40be3
SHA256: 87802711517227b9c1cb30e8f7ce8794c55d4322a30036ce5db5f70b239db0bf
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 1.11 KB (1132 bytes) MD5: e07cfe8b2393008a6710cd17680c959f
SHA1: 3f0fd14b14385340b96eabec3459b77077756d9c
SHA256: b4c39b41a25da83168c2a09ed8ba84b744f440a0e8547b4626b08226b6ba57a1
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 1.12 KB (1146 bytes) MD5: 503839b3093d878830ed5f0e334823d7
SHA1: f2d7407c7d03a7e5a4c2dac68886d9408085d648
SHA256: 6ee28d1a9d7a181811dad5df46f4b02c9648345630ac19a55c4192a2d837d420
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 1.14 KB (1170 bytes) MD5: 72036b3ebe710f325e06ff220bb43c59
SHA1: 7c081d3f144735e8f12931dfe23b5f447d80de5a
SHA256: c1cb2838c29020843dad8aea39a48cedcf28052d2228f3d03e8fbd3ce05062eb
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 1.16 KB (1186 bytes) MD5: 264cd08d7cdd248966651c001aa61eee
SHA1: 3decbf370b8ced227747c320c583415d61e95eb6
SHA256: c9aad2253b84631971732cecebe6f9305cd6a626dc1d7c669205e8fe494b11fb
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 1.18 KB (1206 bytes) MD5: caa38beb1e9bad46a41ff1aad856a733
SHA1: a1ef8d127d33d70ab2baa3587e508b668967f66e
SHA256: ffd8b43ce7ec2baa7258d4dbd4ca12bab34e46a34bbcf7bf226ac9b2dd64c0cd
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 1.20 KB (1224 bytes) MD5: bdcd7b4596d88cedab90c58f2e74cae6
SHA1: 630dbb9816a2d5df74489963c91145edcd86df47
SHA256: 2f93e98fe83dc0a9ed8de8d787495721175ee127a16264b5f384b316c8aee1aa
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 1.24 KB (1270 bytes) MD5: d79bf7daf62422a53398e06ac8a7d8e5
SHA1: 5de4e3063a91cb2552e32f8d1ee766654f6d5e4f
SHA256: f0ae495d9cb2ef2a3cbcabf9a0f452e13215812e3608227fa2956ee36aeab524
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 1.25 KB (1276 bytes) MD5: 3dd9b49dec535ee301713547ad7be1e1
SHA1: a7f6ccc253ee0475b39d0c354f9455d39dafd98d
SHA256: fe3b2e04595474276fde441b2c4095f0989ea0ee0b67069a063d7676b5ea329e
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 1.28 KB (1308 bytes) MD5: 8c128e39e06ef1289c6bb638b51aba1d
SHA1: 5fc8bf70e6bbc5d4e34cf4a0c456e925075c16bb
SHA256: c9ab6675e78c214a446ee21907e1f3496a44e44e21ce2db363ae094abaa2c7f6
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 1.29 KB (1324 bytes) MD5: 66fe61bfe117baebc77aa9f120f97f8a
SHA1: c12ddc06b5021bc12c07506d749dbf4d9ef1917a
SHA256: 8d61f5fe5bdcfbd262ac402ec66c2b484406a577f3f15b5064f569b66d4b1947
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 1.34 KB (1370 bytes) MD5: ed0395bea390decae30c78fa558b9b43
SHA1: fdb9423347f03bdb626bd47ebe9c0694b0a93ae2
SHA256: 1e5a85b81dab9ba87b75ff41b1b6d1079e5484d3330ce2eb270583e1df34b59d
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 1.54 KB (1582 bytes) MD5: 2e6cde223059f28c5a9cc1119e6ea43d
SHA1: 4d289d7e3809c5d9a3b8b03be36de93b200e6454
SHA256: e6d4d0d9b629d9d5f207aad3b05c28bd5f8a23c456e8a194b5a82d77cc6108d9
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 1.59 KB (1630 bytes) MD5: 5b197608bd0494f85d6ec54cc484cf93
SHA1: e47b88eb4d7db90a152f5f49bbc429943209b555
SHA256: 42ddf176666764888564b5e467c9d3f12729421502c7b44985e3fb2ce240fb50
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 1.62 KB (1658 bytes) MD5: 6e4676a203f0e70f9e1c34224a7c2aa9
SHA1: a29bdce78bcbdf048c78b099f9cd0739a50f66cd
SHA256: 98717918c4e1f8b8840f348e7812040b2b98fb15bc4f23d2c13716a1593204e1
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 1.65 KB (1690 bytes) MD5: 556897b9fe89f288fb7c12110180ca8d
SHA1: a72d46c21c23cae9576d9c7f623e7bc5a51911f0
SHA256: 484737c4fe28dfea4ae86bdcb9d5871285412de0b68f941ecfd17611dbd9fa87
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 1.67 KB (1710 bytes) MD5: 667bea4b50c45bcc84d5c840d53a33f1
SHA1: f9b6d8ebdd2e5237e987fe86508e256160a1c2e2
SHA256: b6d0333002bb2136ee27f31546ba98c1645c927cf8dbe2b451672d33aecb0690
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 1.67 KB (1714 bytes) MD5: 7c29a8263896e822d7bb7d04bb55e76c
SHA1: d421c63f54f887f4d4a4cc44f19a9ada57d33344
SHA256: c24bf3db15794b8d7128a79a8c1b789c75c669151432b7ff74ec0753c515be13
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 1.69 KB (1726 bytes) MD5: a7bca06f87d0dd8d001370bccd9f9cad
SHA1: 606455cacc0ea66f5d4f2dc672e23d28afe627ac
SHA256: 2d79c3520827c87da66d53eb657968f147a0b257effe5650a9645ed72f1cf307
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 1.77 KB (1808 bytes) MD5: a4135832d5416e6fe8954e663a3e767b
SHA1: ac47400c5547d62a57ab921e0bac146493978b93
SHA256: 5261f831f8649ab54cb63e377a47c9a95d728f1ead5b54f9927c7427c13707cb
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 1.78 KB (1826 bytes) MD5: 6d5e5dd9dcfbc80a8d7777786b5bad98
SHA1: 8d601d400256a65ae181fac1d8ab1d8cbd4f580b
SHA256: c0a1291a49b66da56a686e9fe6a4e90732ef593f9fcc8f400f51abcf8f6b7363
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 1.81 KB (1850 bytes) MD5: 3e58ed2d1e143a60e5df7865855157ab
SHA1: 5cb550e1f100b95351491c57cf00740d5bdf2f14
SHA256: ca6359af6ce359ce77debaa4cca8bbbab6bfb3c96e000277602a11c9dc87ee2f
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 1.83 KB (1874 bytes) MD5: 5a080f0cca70070f3f93e9aca56b3147
SHA1: 08f591678609efdab2ea163344c2e2cf98449803
SHA256: 38a9379997be8642eb37216f2d9772ab07de4feab45fed89a96cd9029ab90151
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 1.85 KB (1894 bytes) MD5: a15ee3a70d83b03cc61b9cfb0871dac5
SHA1: 9d6215b9418f3663ded67444222d58370fd3a025
SHA256: 0a2ca877fe2b4e53e49ab5c65033edb01f14fe9ab193855ee55dbcfbf46b056b
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 1.88 KB (1920 bytes) MD5: 8bc0d6c00975e36bfbccb8c94585830d
SHA1: 5f1053d7461f141a23a2df3fcd37eef1ef83691e
SHA256: 6238d8b973cd694d0415b528cb465d7477dd14a0070cf8694eb4d9ba64cabf7d
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 1.90 KB (1944 bytes) MD5: a315cb1d834ba8ba37c17859f744778e
SHA1: 55cf90d4c0f49ae917e3be55fd7c6f951d9c56b0
SHA256: 3e2133964efd8dec7ce34290fdd7138c359e1746c5ac39c87044fe6bdaaa3d8e
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 1.93 KB (1972 bytes) MD5: e669f6d9204a7fa9042689d8bfa8d693
SHA1: 08be72438fa3608aa27a350edaa9069c13a136ae
SHA256: af7d105c04f123d4d91eeb22c81da67f16093388296ed0aa654ee189c73c29c3
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 1.93 KB (1978 bytes) MD5: a92ea9f1b3902e06c687a7d6beeb4b6f
SHA1: 51b92a33abd11a0f34bc2e082484470285c4aa39
SHA256: 3dbccd71cf9f55d7b311a636fadb40d98fe5688c6afd0b937086b0285bd8997f
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 1.96 KB (2004 bytes) MD5: ef2e526fe62e9018f01cb04b5426eafc
SHA1: bb3c218355ad08c34c34b969d189270fb6acafa0
SHA256: 0ca5933326de32802f1c9683b09b85e0d37f42005aa2a8f79fec8679952bd828
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 2.00 KB (2046 bytes) MD5: 272785bce52334c936e6e6b78cd92a41
SHA1: fed0929f869262fcfbae7d15d5ee201453d66da2
SHA256: f6229417eea5dc925e6ee4c7b2939d4d50d1b54f7a156095ddf0a558072213c7
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 2.03 KB (2078 bytes) MD5: 51ec8a79a04c336b368fbbbcc4034a12
SHA1: 1ff0c0834d9678e68e268c243bb4d67c2a8b0775
SHA256: 0a54710c94734f2b673b6156ad037084f3ce136f68452ed44eb70975645a6390
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 2.05 KB (2098 bytes) MD5: 6bbd5d6b6a7845854288aba5e3d2f8bc
SHA1: 4891eaad02a24012afe9cfeaceb01482d0d4baf3
SHA256: 056407e4de4521ec4628e968361dbf5f8bead5f46f600c480dee96c1c484f860
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 2.05 KB (2102 bytes) MD5: c94ce9d20748a727989a15609267b4f9
SHA1: 1fba20a4d855bead6d68bb2cbe1450450a68d2b1
SHA256: b3913c192892b4b833b605975543875890aa58bf7b2f69f4392237a0f72f7e9d
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrc.ini 2.06 KB (2106 bytes) MD5: 8c92f6c90debf182342eec2b8ff0801b
SHA1: e64d9142066ea8d5de7c1d4316eed908e0be7122
SHA256: 97c6e88fb00c281bb08613852fca40b94cf04307c6edf1ea057a328a8710d882
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logri.ini 0.04 KB (40 bytes) MD5: d63a82e5d81e02e399090af26db0b9cb
SHA1: 91d0014c8f54743bba141fd60c9d963f869d76c9
SHA256: eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logrv.ini 0.04 KB (40 bytes) MD5: ba3b6bc807d4f76794c4b81b09bb9ba5
SHA1: 24cb89501f0212ff3095ecc0aba97dd563718fb1
SHA256: 6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logim.jpeg 49.83 KB (51029 bytes) MD5: a9fdc69c2bcc2e1a034c8a7e912b3dee
SHA1: 857c8fe581265d82e7e52de78a05b1196cdb441a
SHA256: 809e453d2a27045d47fdea347eb0acb4428d2d71930339e703627f08330f0b30
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\8q-59uav\8q-logim.jpeg 70.46 KB (72146 bytes) MD5: 4c65034f3140fb39fd1d1ed6f8ede776
SHA1: 66ef37cd6ce31184715c28d1203db251188fc7ed
SHA256: d803b2190b025c55d619d61b4ab44d5f404c8782df1f0dbb5ea4b804119dee53
False
Modified Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat 48.00 KB (49152 bytes) MD5: e3e8e4631c985b9514893fe8da368188
SHA1: 5bab217563ea405bbbbaa9bd0038b6e017767f0e
SHA256: e43a0e6682d5edb928cce1919f88c3edaf8123ecede708ad61a0df3b9396b3bc
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\cookies\index.dat 32.00 KB (32768 bytes) MD5: 52860b79194a2bd3b1e66300587b21cf
SHA1: faa8d7915f6733c93678128d032d26c150eb1550
SHA256: b3e7c1e6e0d6859d21aadf673fc01f33289fb30ce4b39edb6ecaccc0f8ff6f0a
False
c:\users\5p5nrgjn0js halpmcxz\appdata\local\microsoft\windows\history\history.ie5\index.dat 32.00 KB (32768 bytes) MD5: a76886529a94b51741014e36ff7c5ffe
SHA1: 7e4295d7bf288b7f5a21c6ffd611689770941ba8
SHA256: c61c078e7e21f224dc35f3ddb725d0aa07c6178c8da75163205fc5f2ffb38ec3
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\microsoft\windows\ietldcache\index.dat 256.00 KB (262144 bytes) MD5: 6852149628dae385c68c7a9db7028560
SHA1: c6e02c929ec99f984b04876816024c3a39b88ccb
SHA256: 53ae38a5bdbd72f76bf578f6c36e0b54a994003f535dbc1b469c12f3a169e3a4
False
Host Behavior
COM (1)
+
Operation Class Interface Additional Information Success Count Logfile
Create 3C374A40-BAE4-11CF-BF7D-00AA006946EE AFA0DC11-C313-11D0-831A-00C04FD5AE38 cls_context = CLSCTX_INPROC_SERVER True 1
Fn
File (275)
+
Operation Filename Additional Information Success Count Logfile
Create \??\C:\Windows\SysWOW64\ntdll.dll desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 3
Fn
Create \??\C:\Users\5p5NrGJn0jS HALPmcxz\lxqfwvdqlkd.exe desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
Create \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\lxqfwvdqlkd.exe desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
Create \??\C:\Users\5P5NRG~1\AppData\Local\Temp\lxqfwvdqlkd.exe desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
Create \??\C:\Program Files (x86)\lxqfwvdqlkd.exe desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
Create \??\C:\Program Files (x86)\Common Files\lxqfwvdqlkd.exe desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
Create \??\C:\ProgramData\lxqfwvdqlkd.exe desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
Create \??\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create \??\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create \??\C:\Windows\SysWOW64\ntdll.dll desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create \??\C:\Windows\System32\drivers\etc\hosts desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 2
Fn
Create \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV desired_access = FILE_READ_DATA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-log.ini desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 2
Fn
Create \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
Create \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 73
Fn
Create \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logri.ini desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
Create \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logri.ini desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create \??\C:\Program Files (x86)\Mozilla Firefox\Firefox.exe desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\Chrome\User Data\Default\Login Data desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Opera Software\Opera Stable\Login Data desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
Create \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrv.ini desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
Create \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrv.ini desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create \??\C:\Program Files (x86)\Mozilla Firefox\Firefox.exe desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 2
Fn
Get Info \??\C:\Windows\SysWOW64\ntdll.dll type = extended True 3
Fn
Get Info \??\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe type = extended True 1
Fn
Get Info \??\C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe type = extended True 1
Fn
Get Info \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr type = extended True 1
Fn
Get Info \??\C:\Windows\SysWOW64\ntdll.dll type = extended True 1
Fn
Get Info \??\C:\Windows\System32\drivers\etc\hosts type = extended True 2
Fn
Get Info \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV type = extended True 1
Fn
Get Info \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr type = extended True 2
Fn
Get Info \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini type = extended True 1
Fn
Get Info \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini type = extended True 73
Fn
Get Info \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logri.ini type = extended True 1
Fn
Get Info \??\C:\Program Files (x86)\Mozilla Firefox\Firefox.exe type = extended True 1
Fn
Get Info \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\Chrome\User Data\Default\Login Data type = extended True 1
Fn
Get Info \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrv.ini type = extended True 1
Fn
Get Info \??\C:\Program Files (x86)\Mozilla Firefox\Firefox.exe type = extended True 2
Fn
Read \??\C:\Windows\System32\drivers\etc\hosts offset = 0, size = 824 True 1
Fn
Data
Read \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr offset = 0, size = 290816 True 1
Fn
Data
Read \??\C:\Program Files (x86)\Mozilla Firefox\Firefox.exe offset = 0, size = 275568 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 0, size = 40 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 40, size = 12 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 52, size = 82 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 134, size = 18 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 152, size = 22 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 174, size = 24 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 198, size = 20 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 218, size = 26 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 244, size = 16 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 260, size = 28 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 288, size = 6 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 294, size = 26 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 320, size = 44 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 364, size = 32 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 396, size = 20 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 416, size = 4 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 420, size = 12 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 432, size = 82 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 514, size = 18 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 532, size = 22 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 554, size = 24 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 578, size = 20 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 598, size = 26 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 624, size = 18 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 642, size = 28 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 670, size = 6 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 676, size = 26 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 702, size = 46 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 748, size = 32 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 780, size = 20 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 800, size = 4 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 804, size = 12 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 816, size = 82 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 898, size = 18 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 916, size = 24 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 940, size = 26 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 966, size = 42 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 1008, size = 26 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 1034, size = 20 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 1054, size = 12 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 1066, size = 42 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 1108, size = 24 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 1132, size = 14 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 1146, size = 24 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 1170, size = 16 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 1186, size = 20 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 1206, size = 18 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 1224, size = 46 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 1270, size = 6 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 1276, size = 32 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 1308, size = 16 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 1324, size = 46 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 1370, size = 212 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 1582, size = 48 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 1630, size = 28 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 1658, size = 32 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 1690, size = 20 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 1710, size = 4 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 1714, size = 12 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 1726, size = 82 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 1808, size = 18 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 1826, size = 24 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 1850, size = 24 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 1874, size = 20 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 1894, size = 26 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 1920, size = 24 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 1944, size = 28 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 1972, size = 6 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 1978, size = 26 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 2004, size = 42 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 2046, size = 32 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 2078, size = 20 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 2098, size = 4 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini offset = 2102, size = 4 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logri.ini offset = 0, size = 40 True 1
Fn
Data
Write \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrv.ini offset = 0, size = 40 True 1
Fn
Data
Registry (126)
+
Operation Key Additional Information Success Count Logfile
Create Key HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies False 1
Fn
Create Key HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run True 1
Fn
Create Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion True 1
Fn
Create Key HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ True 1
Fn
Create Key HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\05cb6f136411cf4daf1f74e966b0a7dc True 1
Fn
Create Key HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046 True 1
Fn
Create Key HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a True 1
Fn
Create Key HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604 True 1
Fn
Create Key HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\4b62e5f8c092a64ea9b79fd559a5a15e True 1
Fn
Create Key HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\609a848a708f544697003a34105400ef True 1
Fn
Create Key HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\63cba20b08018a458b6edb5d87fb54da True 1
Fn
Create Key HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\828cd3a417cead4ab3a214070dce1c3d True 1
Fn
Create Key HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046 True 1
Fn
Create Key HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\88d17fec23cbdd4fb54ad1d34c0dce09 True 1
Fn
Create Key HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 True 1
Fn
Create Key HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 True 1
Fn
Create Key HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 True 1
Fn
Create Key HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 True 1
Fn
Create Key HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 True 1
Fn
Create Key HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 True 1
Fn
Create Key HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\a533ec91a4f74549ac2130b6908c8aac True 1
Fn
Create Key HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b70c659765f94740b657fee657d05ab4 True 1
Fn
Create Key HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\cce6b8ce16bac4458e5e40e3530d6f1d True 1
Fn
Create Key HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\dd7f40a823cda64b92e9a96e9e46e406 True 1
Fn
Create Key HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761 True 1
Fn
Create Key HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 True 1
Fn
Create Key HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E} True 1
Fn
Create Key HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary True 1
Fn
Create Key HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ False 1
Fn
Create Key HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\ False 1
Fn
Create Key HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 True 1
Fn
Create Key HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\ True 1
Fn
Create Key HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\25.0 (en-US)\Main True 1
Fn
Create Key HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird\ False 1
Fn
Create Key HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run True 2
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = ProductName True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\ value_name = CurrentVersion True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\25.0 (en-US)\Main value_name = Install Directory True 1
Fn
Write Value HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run value_name = autochkDNAL2, data = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr, size = 116, type = REG_SZ True 1
Fn
Enumerate Keys HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ True 19
Fn
Enumerate Keys HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\05cb6f136411cf4daf1f74e966b0a7dc False 1
Fn
Enumerate Keys HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046 False 1
Fn
Enumerate Keys HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a False 1
Fn
Enumerate Keys HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604 False 1
Fn
Enumerate Keys HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\4b62e5f8c092a64ea9b79fd559a5a15e False 1
Fn
Enumerate Keys HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\609a848a708f544697003a34105400ef False 1
Fn
Enumerate Keys HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\63cba20b08018a458b6edb5d87fb54da False 1
Fn
Enumerate Keys HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\828cd3a417cead4ab3a214070dce1c3d False 1
Fn
Enumerate Keys HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046 False 1
Fn
Enumerate Keys HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\88d17fec23cbdd4fb54ad1d34c0dce09 False 1
Fn
Enumerate Keys HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 False 1
Fn
Enumerate Keys HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 True 4
Fn
Enumerate Keys HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 False 1
Fn
Enumerate Keys HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\a533ec91a4f74549ac2130b6908c8aac False 1
Fn
Enumerate Keys HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b70c659765f94740b657fee657d05ab4 False 1
Fn
Enumerate Keys HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\cce6b8ce16bac4458e5e40e3530d6f1d False 1
Fn
Enumerate Keys HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\dd7f40a823cda64b92e9a96e9e46e406 False 1
Fn
Enumerate Keys HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761 False 1
Fn
Enumerate Keys HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 False 1
Fn
Enumerate Keys HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E} True 1
Fn
Enumerate Keys HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E} False 1
Fn
Enumerate Keys HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ False 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 True 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 True 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 True 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 True 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 True 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 True 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 True 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 False 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 True 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 True 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 True 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 True 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 True 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 True 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 True 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 False 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 True 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 True 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 True 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 True 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 True 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 True 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 True 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 True 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 True 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 True 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 True 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 True 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 True 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 False 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 True 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 True 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 True 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 True 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 True 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 True 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 True 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 False 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary False 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 False 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run True 2
Fn
Process (9)
+
Operation Process Additional Information Success Count Logfile
Create C:\Windows\SysWOW64\cmd.exe os_pid = 0xa44, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE True 1
Fn
Create C:\Windows\SysWOW64\cmd.exe os_pid = 0xa58, creation_flags = CREATE_NO_WINDOW, show_window = SW_HIDE True 1
Fn
Create C:\Program Files (x86)\Mozilla Firefox\Firefox.exe os_pid = 0xb08, creation_flags = CREATE_SUSPENDED, CREATE_DETACHED_PROCESS, show_window = SW_HIDE True 1
Fn
Get Info c:\windows\explorer.exe type = PROCESS_WOW64_INFORMATION True 1
Fn
Get Info c:\windows\explorer.exe type = PROCESS_BASIC_INFORMATION True 1
Fn
Get Info C:\Program Files (x86)\Mozilla Firefox\Firefox.exe type = PROCESS_WOW64_INFORMATION True 1
Fn
Get Info C:\Program Files (x86)\Mozilla Firefox\Firefox.exe type = PROCESS_BASIC_INFORMATION True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION True 2
Fn
Thread (7)
+
Operation Process Additional Information Success Count Logfile
Open c:\windows\explorer.exe os_tid = 0x568 True 1
Fn
Suspend c:\windows\explorer.exe os_tid = 0x568 True 1
Fn
Get Context c:\windows\explorer.exe os_tid = 0x568 True 1
Fn
Queue APC c:\windows\explorer.exe os_tid = 0x568 True 1
Fn
Set Context c:\windows\explorer.exe os_tid = 0x568 True 1
Fn
Resume c:\windows\explorer.exe os_tid = 0x568 True 1
Fn
Resume c:\windows\syswow64\msiexec.exe os_tid = 0xa3c True 1
Fn
Memory (3)
+
Operation Process Additional Information Success Count Logfile
Read c:\windows\explorer.exe address = 0x7fffffdf000, size = 64 True 1
Fn
Data
Read C:\Program Files (x86)\Mozilla Firefox\Firefox.exe address = 0xfffde000, size = 32 True 1
Fn
Data
Read C:\Program Files (x86)\Mozilla Firefox\Firefox.exe address = 0x1270000, size = 278528 True 1
Fn
Data
Module (20)
+
Operation Module Additional Information Success Count Logfile
Load crypt32.dll base_address = 0x0 True 1
Fn
Load C:\Program Files (x86)\Mozilla Firefox\nss3.dll base_address = 0xc0000135 False 1
Fn
Load winsqlite3.dll base_address = 0xc0000135 False 1
Fn
Load vaultcli.dll base_address = 0x0 True 1
Fn
Load gdiplus.dll base_address = 0x0 True 1
Fn
Create Mapping protection = PAGE_EXECUTE_READWRITE, maximum_size = 1697632 True 1
Fn
Create Mapping protection = PAGE_READWRITE, maximum_size = 1696204 True 1
Fn
Create Mapping protection = PAGE_EXECUTE_READWRITE, maximum_size = 1693904 True 1
Fn
Create Mapping protection = PAGE_EXECUTE_READWRITE, maximum_size = 1696236 True 1
Fn
Create Mapping protection = PAGE_EXECUTE_READWRITE, maximum_size = 1696288 True 1
Fn
Map process_name = c:\windows\syswow64\msiexec.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x110000 True 1
Fn
Map process_name = c:\windows\syswow64\msiexec.exe, protection = PAGE_READWRITE, address_out = 0x22a0000 True 1
Fn
Map process_name = c:\windows\explorer.exe, protection = PAGE_READWRITE, address_out = 0x9b50000 True 1
Fn
Map process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x2d10000 True 1
Fn
Map process_name = c:\windows\syswow64\msiexec.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x2850000 True 1
Fn
Map process_name = C:\Program Files (x86)\Mozilla Firefox\Firefox.exe, protection = PAGE_READWRITE, address_out = 0x3c0000 True 1
Fn
Map process_name = c:\windows\syswow64\msiexec.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x2850000 True 1
Fn
Map process_name = C:\Program Files (x86)\Mozilla Firefox\Firefox.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x70000 True 1
Fn
Map process_name = c:\windows\syswow64\msiexec.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x1f40000 True 1
Fn
Map process_name = C:\Program Files (x86)\Mozilla Firefox\Firefox.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x1270000 True 1
Fn
System (8)
+
Operation Additional Information Success Count Logfile
Sleep duration = 1696712 milliseconds (1696.712 seconds) True 1
Fn
Sleep duration = 1697672 milliseconds (1697.672 seconds) True 2
Fn
Sleep duration = 1697672 milliseconds (1697.672 seconds) False 1
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 4
Fn
Mutex (2)
+
Operation Additional Information Success Count Logfile
Create mutex_name = L53886-WGVVJKAFC, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Create mutex_name = 8Q-59UAVA1ZvGWMZ, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Environment (2)
+
Operation Additional Information Success Count Logfile
Set Environment String name = PATH, value = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Mozilla Firefox, environment = 0 True 1
Fn
Set Environment String name = PATH, value = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\, environment = 0 True 1
Fn
Debug (1)
+
Operation Process Additional Information Success Count Logfile
Check for Presence c:\windows\syswow64\msiexec.exe True 1
Fn
Process #6: cmd.exe
(Host: 102, Network: 0)
+
Information Value
ID #6
File Name c:\windows\syswow64\cmd.exe
Command Line /c copy "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe" "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr" /V
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:02, Reason: Child Process
Unmonitor End Time: 00:05:21, Reason: Terminated by Timeout
Monitor Duration 00:04:19
OS Process Information
+
Information Value
PID 0xa44
Parent PID 0xa38 (c:\windows\syswow64\msiexec.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups
  • XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00010611 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A48
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True True False
pagefile_0x0000000000030000 0x00030000 0x00036fff Pagefile Backed Memory Readable True False False
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000070000 0x00070000 0x00071fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000080000 0x00080000 0x00080fff Private Memory Readable, Writable True True False
private_0x0000000000090000 0x00090000 0x00090fff Private Memory Readable, Writable True True False
private_0x00000000000a0000 0x000a0000 0x000affff Private Memory Readable, Writable True True False
private_0x00000000000b0000 0x000b0000 0x001affff Private Memory Readable, Writable True True False
private_0x00000000001b0000 0x001b0000 0x001effff Private Memory Readable, Writable True True False
private_0x00000000001f0000 0x001f0000 0x001fffff Private Memory Readable, Writable True True False
private_0x0000000000250000 0x00250000 0x002cffff Private Memory Readable, Writable True True False
private_0x0000000000330000 0x00330000 0x0042ffff Private Memory Readable, Writable True True False
locale.nls 0x00430000 0x00496fff Memory Mapped File Readable False False False
private_0x0000000000550000 0x00550000 0x0055ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000560000 0x00560000 0x006e7fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000006f0000 0x006f0000 0x00870fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000880000 0x00880000 0x01c7ffff Pagefile Backed Memory Readable True False False
pagefile_0x0000000001c80000 0x01c80000 0x01fc2fff Pagefile Backed Memory Readable True False False
cmd.exe 0x4a220000 0x4a26bfff Memory Mapped File Readable, Writable, Executable True False False
wow64win.dll 0x73a70000 0x73acbfff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x73ad0000 0x73b0efff Memory Mapped File Readable, Writable, Executable False False False
wow64cpu.dll 0x73b40000 0x73b47fff Memory Mapped File Readable, Writable, Executable False False False
winbrand.dll 0x74fa0000 0x74fa6fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x750b0000 0x750bbfff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x750c0000 0x7511ffff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x75120000 0x7521ffff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x75240000 0x75258fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x75260000 0x7530bfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75320000 0x75365fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x753c0000 0x754affff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x754e0000 0x7556ffff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x765b0000 0x766bffff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x76750000 0x76759fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x76760000 0x767fffff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x76a00000 0x76acbfff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x76ad0000 0x76b2ffff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x76b30000 0x76bccfff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000077160000 0x77160000 0x77259fff Private Memory Readable, Writable, Executable True True False
private_0x0000000077260000 0x77260000 0x7737efff Private Memory Readable, Writable, Executable True True False
ntdll.dll 0x77380000 0x77528fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77560000 0x776dffff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True True False
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True True False
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True True False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True True False
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False
Created Files
+
Filename File Size Hash Values YARA Match Actions
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr 0.00 KB (0 bytes) MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
False
c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr 284.00 KB (290816 bytes) MD5: f5aceff295707412e7679e7c0f3a797e
SHA1: 89c58b4bc7130630ff093afe1c57614a4b85ddc7
SHA256: ab17c139b27a1884df468664b2ae448a6bfd8973034b6bfa42d03a3533edbe8d
False
Host Behavior
File (61)
+
Operation Filename Additional Information Success Count Logfile
Create C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr desired_access = GENERIC_READ, file_attributes = FILE_ATTRIBUTE_NORMAL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Get Info C:\Windows\system32 type = file_attributes True 1
Fn
Get Info C:\Windows\System32 type = file_attributes True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe type = file_attributes True 1
Fn
Get Info STD_INPUT_HANDLE type = file_type True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr type = file_attributes False 2
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr type = file_attributes True 1
Fn
Get Info type = file_type True 2
Fn
Get Info STD_INPUT_HANDLE type = size, size_out = 0 True 1
Fn
Get Info type = size, size_out = 0 True 1
Fn
Get Info System Paging File type = file_type False 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 1
Fn
Open STD_OUTPUT_HANDLE True 8
Fn
Open STD_INPUT_HANDLE True 3
Fn
Open STD_INPUT_HANDLE True 9
Fn
Open True 10
Fn
Open False 2
Fn
Copy C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe True 1
Fn
Read STD_INPUT_HANDLE size = 512, size_out = 512 True 1
Fn
Data
Read STD_INPUT_HANDLE size = 65024, size_out = 65024 True 4
Fn
Data
Read size = 65024, size_out = 65024 True 4
Fn
Data
Read STD_INPUT_HANDLE size = 65024, size_out = 30720 True 1
Fn
Data
Read size = 30720, size_out = 30720 True 1
Fn
Data
Write STD_OUTPUT_HANDLE size = 27 True 1
Fn
Data
Registry (17)
+
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Process (1)
+
Operation Process Additional Information Success Count Logfile
Get Info c:\windows\syswow64\cmd.exe type = PROCESS_PAGE_PRIORITY True 1
Fn
Module (8)
+
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\syswow64\cmd.exe base_address = 0x4a220000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x765b0000 True 2
Fn
Get Filename process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadUILanguage, address_out = 0x765da84f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CopyFileExW, address_out = 0x765e3b92 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x765c4a5d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x765da79d True 1
Fn
System (2)
+
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2017-09-20 16:08:22 (UTC) True 1
Fn
Get Time type = Ticks, time = 92149 True 1
Fn
Environment (11)
+
Operation Additional Information Success Count Logfile
Get Environment String True 4
Fn
Data
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Windows\System32 True 1
Fn
Process #7: cmd.exe
(Host: 52, Network: 0)
+
Information Value
ID #7
File Name c:\windows\syswow64\cmd.exe
Command Line /c del "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:06, Reason: Child Process
Unmonitor End Time: 00:05:21, Reason: Terminated by Timeout
Monitor Duration 00:04:15
OS Process Information
+
Information Value
PID 0xa58
Parent PID 0xa38 (c:\windows\syswow64\msiexec.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups
  • XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00010611 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x A5C
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000020000 0x00020000 0x0002ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True True False
pagefile_0x0000000000030000 0x00030000 0x00036fff Pagefile Backed Memory Readable True False False
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000070000 0x00070000 0x00071fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000080000 0x00080000 0x00080fff Private Memory Readable, Writable True True False
private_0x0000000000090000 0x00090000 0x00090fff Private Memory Readable, Writable True True False
private_0x00000000000c0000 0x000c0000 0x0013ffff Private Memory Readable, Writable True True False
private_0x0000000000150000 0x00150000 0x0018ffff Private Memory Readable, Writable True True False
locale.nls 0x00190000 0x001f6fff Memory Mapped File Readable False False False
private_0x0000000000200000 0x00200000 0x002fffff Private Memory Readable, Writable True True False
private_0x0000000000350000 0x00350000 0x0044ffff Private Memory Readable, Writable True True False
private_0x00000000004f0000 0x004f0000 0x004fffff Private Memory Readable, Writable True True False
pagefile_0x0000000000500000 0x00500000 0x00687fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000690000 0x00690000 0x00810fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000820000 0x00820000 0x01c1ffff Pagefile Backed Memory Readable True False False
pagefile_0x0000000001c20000 0x01c20000 0x01f62fff Pagefile Backed Memory Readable True False False
cmd.exe 0x4a260000 0x4a2abfff Memory Mapped File Readable, Writable, Executable True False False
wow64win.dll 0x73a70000 0x73acbfff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x73ad0000 0x73b0efff Memory Mapped File Readable, Writable, Executable False False False
wow64cpu.dll 0x73b40000 0x73b47fff Memory Mapped File Readable, Writable, Executable False False False
winbrand.dll 0x74f90000 0x74f96fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x750b0000 0x750bbfff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x750c0000 0x7511ffff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x75120000 0x7521ffff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x75240000 0x75258fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x75260000 0x7530bfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75320000 0x75365fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x753c0000 0x754affff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x754e0000 0x7556ffff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x765b0000 0x766bffff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x76750000 0x76759fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x76760000 0x767fffff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x76a00000 0x76acbfff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x76ad0000 0x76b2ffff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x76b30000 0x76bccfff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000077160000 0x77160000 0x77259fff Private Memory Readable, Writable, Executable True True False
private_0x0000000077260000 0x77260000 0x7737efff Private Memory Readable, Writable, Executable True True False
ntdll.dll 0x77380000 0x77528fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77560000 0x776dffff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True True False
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True True False
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True True False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True True False
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False
Host Behavior
File (14)
+
Operation Filename Additional Information Success Count Logfile
Get Info C:\Windows\system32 type = file_attributes True 1
Fn
Get Info C:\Windows\System32 type = file_attributes True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe type = file_attributes True 2
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop type = file_attributes True 1
Fn
Open STD_OUTPUT_HANDLE True 5
Fn
Open STD_INPUT_HANDLE True 3
Fn
Delete C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\lxqfwvdqlkd.exe True 1
Fn
Registry (17)
+
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Command Processor True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = CompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 64, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor value_name = AutoRun, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DisableUNCCheck, data = 64, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = EnableExtensions, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DelayedExpansion, data = 1, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = DefaultColor, data = 0, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = CompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = PathCompletionChar, data = 9, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Command Processor value_name = AutoRun, data = 9, type = REG_NONE False 1
Fn
Module (8)
+
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\syswow64\cmd.exe base_address = 0x4a260000 True 1
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x765b0000 True 2
Fn
Get Filename process_name = c:\windows\syswow64\cmd.exe, file_name_orig = C:\Windows\SysWOW64\cmd.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadUILanguage, address_out = 0x765da84f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CopyFileExW, address_out = 0x765e3b92 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsDebuggerPresent, address_out = 0x765c4a5d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetConsoleInputExeNameW, address_out = 0x765da79d True 1
Fn
System (2)
+
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2017-09-20 16:08:25 (UTC) True 1
Fn
Get Time type = Ticks, time = 95644 True 1
Fn
Environment (11)
+
Operation Additional Information Success Count Logfile
Get Environment String True 4
Fn
Data
Get Environment String name = PATH, result_out = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\ True 1
Fn
Get Environment String name = PATHEXT, result_out = .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC True 1
Fn
Get Environment String name = PROMPT False 1
Fn
Get Environment String name = COMSPEC, result_out = C:\Windows\system32\cmd.exe True 1
Fn
Get Environment String name = KEYS False 1
Fn
Set Environment String name = PROMPT, value = $P$G True 1
Fn
Set Environment String name = =C:, value = C:\Windows\System32 True 1
Fn
Process #8: firefox.exe
(Host: 3, Network: 0)
+
Information Value
ID #8
File Name c:\program files (x86)\mozilla firefox\firefox.exe
Command Line "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:22, Reason: Child Process
Unmonitor End Time: 00:05:21, Reason: Terminated by Timeout
Monitor Duration 00:03:59
OS Process Information
+
Information Value
PID 0xb08
Parent PID 0xa38 (c:\windows\syswow64\msiexec.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups
  • XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:00010611 (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x B0C
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True True False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True True False
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True True False
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000060000 0x00060000 0x00062fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000070000 0x00070000 0x000fafff Pagefile Backed Memory Readable, Writable, Executable True False False
locale.nls 0x00100000 0x00166fff Memory Mapped File Readable False False False
pagefile_0x0000000000180000 0x00180000 0x00186fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000190000 0x00190000 0x00191fff Pagefile Backed Memory Readable, Writable True False False
private_0x00000000001b0000 0x001b0000 0x001effff Private Memory Readable, Writable True True False
private_0x0000000000230000 0x00230000 0x0023ffff Private Memory Readable, Writable True True False
private_0x00000000002c0000 0x002c0000 0x003bffff Private Memory Readable, Writable True True False
pagefile_0x00000000003c0000 0x003c0000 0x008a1fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x00000000008b0000 0x008b0000 0x00a37fff Pagefile Backed Memory Readable True False False
private_0x0000000000a80000 0x00a80000 0x00a8ffff Private Memory Readable, Writable True True False
private_0x0000000000aa0000 0x00aa0000 0x00b1ffff Private Memory Readable, Writable True True False
pagefile_0x0000000000b20000 0x00b20000 0x00ca0fff Pagefile Backed Memory Readable True False False
private_0x0000000000d10000 0x00d10000 0x00d4ffff Private Memory Readable, Writable True True False
ntdll.dll 0x00d50000 0x00ecffff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000000ed0000 0x00ed0000 0x00fcffff Private Memory Readable, Writable True True False
private_0x0000000001000000 0x01000000 0x010fffff Private Memory Readable, Writable True True False
firefox.exe 0x01270000 0x012b3fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000001270000 0x01270000 0x012b3fff Pagefile Backed Memory Readable, Writable, Executable True False False
pagefile_0x00000000012c0000 0x012c0000 0x026bffff Pagefile Backed Memory Readable True False False
sortdefault.nls 0x026c0000 0x0298efff Memory Mapped File Readable False False False
pagefile_0x0000000002990000 0x02990000 0x02d82fff Pagefile Backed Memory Readable True False False
wow64win.dll 0x73a70000 0x73acbfff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x73ad0000 0x73b0efff Memory Mapped File Readable, Writable, Executable False False False
wow64cpu.dll 0x73b40000 0x73b47fff Memory Mapped File Readable, Writable, Executable False False False
freebl3.dll 0x74490000 0x744defff Memory Mapped File Readable, Writable, Executable False False False
softokn3.dll 0x744e0000 0x74506fff Memory Mapped File Readable, Writable, Executable False False False
msvcp100.dll 0x74510000 0x74578fff Memory Mapped File Readable, Writable, Executable False False False
nss3.dll 0x74580000 0x74734fff Memory Mapped File Readable, Writable, Executable False False False
msvcr100.dll 0x74740000 0x747fdfff Memory Mapped File Readable, Writable, Executable False False False
mozglue.dll 0x74b50000 0x74b71fff Memory Mapped File Readable, Writable, Executable False False False
winmm.dll 0x74b80000 0x74bb1fff Memory Mapped File Readable, Writable, Executable False False False
nssdbm3.dll 0x74f70000 0x74f86fff Memory Mapped File Readable, Writable, Executable False False False
wsock32.dll 0x74f90000 0x74f96fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x750b0000 0x750bbfff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x750c0000 0x7511ffff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x75120000 0x7521ffff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x75240000 0x75258fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x75260000 0x7530bfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x75320000 0x75365fff Memory Mapped File Readable, Writable, Executable False False False
ws2_32.dll 0x75380000 0x753b4fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x753c0000 0x754affff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x754e0000 0x7556ffff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x75790000 0x763d9fff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x765b0000 0x766bffff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x76750000 0x76759fff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x76760000 0x767fffff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x768e0000 0x769fcfff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x76a00000 0x76acbfff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x76ad0000 0x76b2ffff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x76b30000 0x76bccfff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x76bd0000 0x76bd5fff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x77100000 0x77156fff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000077160000 0x77160000 0x77259fff Private Memory Readable, Writable, Executable True True False
private_0x0000000077260000 0x77260000 0x7737efff Private Memory Readable, Writable, Executable True True False
ntdll.dll 0x77380000 0x77528fff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x77530000 0x7753bfff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77560000 0x776dffff Memory Mapped File Readable, Writable, Executable False False False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True True False
pagefile_0x00000000fffb0000 0xfffb0000 0xfffd2fff Pagefile Backed Memory Readable True False False
private_0x00000000fffdb000 0xfffdb000 0xfffddfff Private Memory Readable, Writable True True False
private_0x00000000fffde000 0xfffde000 0xfffdefff Private Memory Readable, Writable True True False
private_0x00000000fffdf000 0xfffdf000 0xfffdffff Private Memory Readable, Writable True True False
private_0x00000000fffe0000 0xfffe0000 0x7fffffeffff Private Memory Readable True False False
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Modify Memory #5: c:\windows\syswow64\msiexec.exe 0xa3c address = 0x3c0000, size = 5120000 True 1
Fn
Modify Memory #5: c:\windows\syswow64\msiexec.exe 0xa3c address = 0x70000, size = 569344 True 1
Fn
Modify Memory #5: c:\windows\syswow64\msiexec.exe 0xa3c address = 0x1270000, size = 278528 True 1
Fn
Host Behavior
File (1)
+
Operation Filename Additional Information Success Count Logfile
Create \??\C:\Windows\SysWOW64\ntdll.dll desired_access = FILE_EXECUTE, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Module (2)
+
Operation Module Additional Information Success Count Logfile
Create Mapping protection = PAGE_EXECUTE, maximum_size = 0 True 1
Fn
Map process_name = c:\program files (x86)\mozilla firefox\firefox.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xd50000 False 1
Fn
Process #9: igfxonux.scr
(Host: 1470, Network: 0)
+
Information Value
ID #9
File Name c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr" /S
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:48, Reason: Autostart
Unmonitor End Time: 00:05:21, Reason: Terminated by Timeout
Monitor Duration 00:03:33
OS Process Information
+
Information Value
PID 0x53c
Parent PID 0x34c (c:\windows\explorer.exe)
Is Created or Modified Executable True
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups
  • XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000e25d (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 540
0x 658
0x 124
0x 340
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000190000 0x00190000 0x00193fff Pagefile Backed Memory Readable True False False
private_0x00000000001a0000 0x001a0000 0x001affff Private Memory Readable, Writable True False False
pagefile_0x00000000001b0000 0x001b0000 0x001b6fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000001c0000 0x001c0000 0x001c1fff Pagefile Backed Memory Readable, Writable True False False
private_0x00000000001d0000 0x001d0000 0x0024ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000250000 0x00250000 0x00251fff Pagefile Backed Memory Readable True False False
msctf.dll.mui 0x00250000 0x00250fff Memory Mapped File Readable, Writable False False False
pagefile_0x0000000000260000 0x00260000 0x00261fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000260000 0x00260000 0x00260fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000270000 0x00270000 0x00270fff Pagefile Backed Memory Readable True False False
private_0x0000000000280000 0x00280000 0x0037ffff Private Memory Readable, Writable True False False
locale.nls 0x00380000 0x003e6fff Memory Mapped File Readable False False False
private_0x00000000003f0000 0x003f0000 0x003f8fff Private Memory Readable, Writable, Executable True False False
igfxonux.scr 0x00400000 0x00447fff Memory Mapped File Readable, Writable, Executable True False False
pagefile_0x0000000000450000 0x00450000 0x005d7fff Pagefile Backed Memory Readable True False False
private_0x00000000005e0000 0x005e0000 0x0061ffff Private Memory Readable, Writable True False False
private_0x0000000000620000 0x00620000 0x00620fff Private Memory Readable, Writable True False False
private_0x0000000000640000 0x00640000 0x0064ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000650000 0x00650000 0x007d0fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000007e0000 0x007e0000 0x01bdffff Pagefile Backed Memory Readable True False False
private_0x0000000001be0000 0x01be0000 0x01c7ffff Private Memory Readable, Writable True False False
private_0x0000000001be0000 0x01be0000 0x01c1ffff Private Memory Readable, Writable True False False
private_0x0000000001c40000 0x01c40000 0x01c7ffff Private Memory Readable, Writable True False False
private_0x0000000001c80000 0x01c80000 0x01c8ffff Private Memory Readable, Writable True False False
private_0x0000000001c90000 0x01c90000 0x0208ffff Private Memory Readable, Writable True False False
sortdefault.nls 0x02090000 0x0235efff Memory Mapped File Readable False False False
private_0x0000000002360000 0x02360000 0x024affff Private Memory Readable, Writable True False False
pagefile_0x0000000002360000 0x02360000 0x0243efff Pagefile Backed Memory Readable True False False
private_0x0000000002470000 0x02470000 0x024affff Private Memory Readable, Writable True False False
private_0x00000000024b0000 0x024b0000 0x0252ffff Private Memory Readable, Writable True False False
private_0x0000000002530000 0x02530000 0x0256ffff Private Memory Readable, Writable True False False
private_0x0000000002590000 0x02590000 0x025cffff Private Memory Readable, Writable True False False
private_0x00000000025d0000 0x025d0000 0x026bffff Private Memory Readable, Writable True False False
private_0x00000000026d0000 0x026d0000 0x026dffff Private Memory Readable, Writable True False False
pagefile_0x00000000026e0000 0x026e0000 0x02ad2fff Pagefile Backed Memory Readable True False False
staticcache.dat 0x02ae0000 0x0340ffff Memory Mapped File Readable False False False
private_0x0000000003410000 0x03410000 0x0350ffff Private Memory Readable, Writable True False False
private_0x0000000003510000 0x03510000 0x0750ffff Private Memory Readable, Writable, Executable True False False
private_0x0000000007510000 0x07510000 0x0760ffff Private Memory Readable, Writable True False False
private_0x0000000007610000 0x07610000 0x0770ffff Private Memory Readable, Writable True False False
msvbvm60.dll 0x72940000 0x72a92fff Memory Mapped File Readable, Writable, Executable True False False
dwmapi.dll 0x72d60000 0x72d72fff Memory Mapped File Readable, Writable, Executable False False False
uxtheme.dll 0x737e0000 0x7385ffff Memory Mapped File Readable, Writable, Executable False False False
sxs.dll 0x73990000 0x739eefff Memory Mapped File Readable, Writable, Executable False False False
wow64cpu.dll 0x73a00000 0x73a07fff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x73a10000 0x73a6bfff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x73a70000 0x73aaefff Memory Mapped File Readable, Writable, Executable False False False
winspool.drv 0x74f70000 0x74fc0fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x74fe0000 0x74febfff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x74ff0000 0x7504ffff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x75080000 0x75cc9fff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x75cd0000 0x75d26fff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x760d0000 0x7615efff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x76160000 0x7622bfff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x76260000 0x762fffff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x76300000 0x7638ffff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x764d0000 0x7652ffff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76720000 0x7682ffff Memory Mapped File Readable, Writable, Executable False False False
clbcatq.dll 0x76830000 0x768b2fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x768f0000 0x769dffff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x76b00000 0x76c5bfff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x76ca0000 0x76d4bfff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x76d50000 0x76d59fff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x76e10000 0x76e55fff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x76e70000 0x76e88fff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x76f90000 0x7708ffff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000077090000 0x77090000 0x771aefff Private Memory Readable, Writable, Executable True False False
private_0x00000000771b0000 0x771b0000 0x772a9fff Private Memory Readable, Writable, Executable True False False
ntdll.dll 0x772b0000 0x77458fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77490000 0x7760ffff Memory Mapped File Readable, Writable, Executable False False False
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False
Host Behavior
File (6)
+
Operation Filename Additional Information Success Count Logfile
Get Info STD_INPUT_HANDLE type = file_type False 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type False 1
Fn
Get Info STD_ERROR_HANDLE type = file_type False 1
Fn
Open STD_INPUT_HANDLE True 1
Fn
Open STD_OUTPUT_HANDLE True 1
Fn
Open STD_ERROR_HANDLE True 1
Fn
Registry (2)
+
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VBA\Monitors False 2
Fn
Process (1)
+
Operation Process Additional Information Success Count Logfile
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr os_pid = 0x338, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE True 1
Fn
Thread (3)
+
Operation Process Additional Information Success Count Logfile
Get Context c:\windows\explorer.exe os_tid = 0x540 True 1
Fn
Set Context c:\windows\explorer.exe os_tid = 0x540 True 1
Fn
Resume c:\windows\explorer.exe os_tid = 0x540 True 1
Fn
Memory (5)
+
Operation Process Additional Information Success Count Logfile
Allocate C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr address = 0x3510004, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 55664920 True 1
Fn
Write C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr address = 0x400000, size = 512 True 1
Fn
Data
Write C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr address = 0x400000, size = 1 True 1
Fn
Data
Write C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr address = 0x401000, size = 141824 True 1
Fn
Data
Write C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr address = 0x7efde008, size = 4 True 1
Fn
Data
Module (158)
+
Operation Module Additional Information Success Count Logfile
Load OLEAUT32.DLL base_address = 0x760d0000 True 1
Fn
Load SXS.DLL base_address = 0x73990000 True 1
Fn
Load ADVAPI32.DLL base_address = 0x76260000 True 2
Fn
Load user32 base_address = 0x76f90000 True 5
Fn
Load winspool.drv base_address = 0x74f70000 True 1
Fn
Load Msvbvm60.dll base_address = 0x72940000 True 1
Fn
Load kernel32 base_address = 0x76720000 True 18
Fn
Load advapi32 base_address = 0x76260000 True 1
Fn
Load shell32 base_address = 0x75080000 True 1
Fn
Load ntdll base_address = 0x77490000 True 8
Fn
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76720000 True 2
Fn
Get Handle c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr base_address = 0x400000 True 1
Fn
Get Handle c:\windows\syswow64\oleaut32.dll base_address = 0x760d0000 True 1
Fn
Get Handle c:\windows\syswow64\ole32.dll base_address = 0x76b00000 True 1
Fn
Get Handle c:\windows\syswow64\user32.dll base_address = 0x76f90000 True 1
Fn
Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr, size = 260 True 3
Fn
Get Filename process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr, file_name_orig = C:\Windows\system32\MSVBVM60.DLL, size = 260 True 3
Fn
Get Filename c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr, size = 260 True 2
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsTNT, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsProcessorFeaturePresent, address_out = 0x76735235 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = OleLoadPictureEx, address_out = 0x761370a1 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = DispCallFunc, address_out = 0x760e3dcf True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = LoadTypeLibEx, address_out = 0x760e07b7 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = UnRegisterTypeLib, address_out = 0x76101ca9 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = CreateTypeLib2, address_out = 0x760e8e70 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDateFromUdate, address_out = 0x760e7684 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarUdateFromDate, address_out = 0x760ecc98 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = GetAltMonthNames, address_out = 0x7611903a True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarNumFromParseNum, address_out = 0x760e6231 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarParseNumFromStr, address_out = 0x760e5fea True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecFromR4, address_out = 0x760f3f94 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecFromR8, address_out = 0x760f4e9e True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecFromDate, address_out = 0x7611db72 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecFromI4, address_out = 0x76102a8c True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecFromCy, address_out = 0x7611d737 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarR4FromDec, address_out = 0x7611e015 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = GetRecordInfoFromTypeInfo, address_out = 0x7611cc3d True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = GetRecordInfoFromGuids, address_out = 0x7611d1c4 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArrayGetRecordInfo, address_out = 0x7611d48c True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArraySetRecordInfo, address_out = 0x7611d4c6 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArrayGetIID, address_out = 0x7611d509 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArraySetIID, address_out = 0x760ee7bb True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArrayCopyData, address_out = 0x760ee496 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArrayAllocDescriptorEx, address_out = 0x760eddf1 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = SafeArrayCreateEx, address_out = 0x7611d53f True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarFormat, address_out = 0x76122055 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarFormatDateTime, address_out = 0x761220ea True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarFormatNumber, address_out = 0x76122151 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarFormatPercent, address_out = 0x761221f5 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarFormatCurrency, address_out = 0x76122288 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarWeekdayName, address_out = 0x76122335 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarMonthName, address_out = 0x761223d5 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarAdd, address_out = 0x760f5934 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarAnd, address_out = 0x760f5a98 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarCat, address_out = 0x760f59b4 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDiv, address_out = 0x7614e405 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarEqv, address_out = 0x7614ef07 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarIdiv, address_out = 0x7614f00a True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarImp, address_out = 0x7614ef47 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarMod, address_out = 0x7614f15e True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarMul, address_out = 0x7614dbd4 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarOr, address_out = 0x7614ecfa True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarPow, address_out = 0x7614ea66 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarSub, address_out = 0x7614d332 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarXor, address_out = 0x7614ee2e True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarAbs, address_out = 0x7614ca11 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarFix, address_out = 0x7614cc5f True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarInt, address_out = 0x7614cde7 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarNeg, address_out = 0x7614c802 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarNot, address_out = 0x7614ec66 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarRound, address_out = 0x7614d155 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarCmp, address_out = 0x760eb0dc True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecAdd, address_out = 0x76105f3e True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarDecCmp, address_out = 0x760f4fd0 True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarBstrCat, address_out = 0x760f0d2c True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarCyMulI4, address_out = 0x761059ed True 1
Fn
Get Address c:\windows\syswow64\oleaut32.dll function = VarBstrCmp, address_out = 0x760df8b8 True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CoCreateInstanceEx, address_out = 0x76b49d4e True 1
Fn
Get Address c:\windows\syswow64\ole32.dll function = CLSIDFromProgIDEx, address_out = 0x76b10782 True 1
Fn
Get Address c:\windows\syswow64\sxs.dll function = SxsOleAut32MapIIDOrCLSIDToTypeLibrary, address_out = 0x739d7685 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetSystemMetrics, address_out = 0x76fa7d2f True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MonitorFromWindow, address_out = 0x76fb3150 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MonitorFromRect, address_out = 0x76fce7a0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = MonitorFromPoint, address_out = 0x76fb5281 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = EnumDisplayMonitors, address_out = 0x76fb451a True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetMonitorInfoA, address_out = 0x76fb4413 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CloseEventLog, address_out = 0x762677c3 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = SetAclInformation, address_out = 0x762a34e3 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CreateDialogIndirectParamA, address_out = 0x76fbb029 True 1
Fn
Get Address c:\windows\syswow64\winspool.drv function = DeletePrintProcessorA, address_out = 0x74f78aff True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = CreateWindowExA, address_out = 0x76fad22e True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = ShowWindow, address_out = 0x76fb0dfb True 1
Fn
Get Address c:\windows\syswow64\msvbvm60.dll function = rtcDoEvents, address_out = 0x72a0e0f7 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = EnumWindows, address_out = 0x76fad1cf True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAlloc, address_out = 0x76731856 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTickCount, address_out = 0x7673110c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = Sleep, address_out = 0x767310ff True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetErrorMode, address_out = 0x76731b00 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetLastError, address_out = 0x767311a9 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualAllocEx, address_out = 0x7674d9b0 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = GetCursorPos, address_out = 0x76fb1218 True 1
Fn
Get Address c:\windows\syswow64\advapi32.dll function = RegOpenKeyExA, address_out = 0x76274907 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseHandle, address_out = 0x76731410 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = ShellExecuteW, address_out = 0x75093c71 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WriteFile, address_out = 0x76731282 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateFileW, address_out = 0x76733f5c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = TerminateProcess, address_out = 0x7674d802 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = VirtualProtectEx, address_out = 0x767b45bf True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateProcessW, address_out = 0x7673103d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTempPathW, address_out = 0x7674d4dc True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLongPathNameW, address_out = 0x7673a315 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetFileSize, address_out = 0x7673196e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = ReadFile, address_out = 0x76733ed3 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCommandLineW, address_out = 0x76735223 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtAllocateVirtualMemory, address_out = 0x774afab0 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtWriteVirtualMemory, address_out = 0x774afe04 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtTerminateThread, address_out = 0x774b0074 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtOpenEvent, address_out = 0x774afe98 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtUnmapViewOfSection, address_out = 0x774afc70 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtGetContextThread, address_out = 0x774b0c20 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtSetContextThread, address_out = 0x774b1910 True 1
Fn
Get Address c:\windows\syswow64\ntdll.dll function = NtResumeThread, address_out = 0x774b0058 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetExitCodeProcess, address_out = 0x7674174d True 1
Fn
Window (9)
+
Operation Window Name Additional Information Success Count Logfile
Create class_name = ThunderRT6Main, wndproc_parameter = 0 True 1
Fn
Create class_name = VBMsoStdCompMgr, wndproc_parameter = 0 True 1
Fn
Create class_name = VBFocusRT6, wndproc_parameter = 0 True 1
Fn
Create Southlander wndproc_parameter = 0 True 1
Fn
Create Southlander wndproc_parameter = 0 True 1
Fn
Create çSÌ¥’ËhєÃ7¯¸X ²B class_name = STATIC, wndproc_parameter = 0 True 1
Fn
Set Attribute class_name = VBMsoStdCompMgr, index = 0, new_long = 39395484 False 1
Fn
Set Attribute Southlander index = 18446744073709551600, new_long = 114229248 True 1
Fn
Set Attribute Southlander index = 18446744073709551596, new_long = 256 True 1
Fn
Keyboard (1)
+
Operation Additional Information Success Count Logfile
Get Info type = KB_LOCALE_ID, os_tid = 0, result_out = 67699721 True 1
Fn
System (1219)
+
Operation Additional Information Success Count Logfile
Get Cursor x_out = 1070, y_out = 121 True 598
Fn
Get Cursor x_out = 15, y_out = 821 True 1
Fn
Sleep duration = 0 milliseconds (0.000 seconds) True 3
Fn
Sleep duration = 2000 milliseconds (2.000 seconds) True 1
Fn
Sleep duration = 1 milliseconds (0.001 seconds) True 598
Fn
Get Time type = Ticks, time = 14274 True 3
Fn
Get Time type = Ticks, time = 14320 True 2
Fn
Get Time type = Ticks, time = 14367 True 4
Fn
Get Time type = Ticks, time = 21200 True 1
Fn
Get Time type = Ticks, time = 32339 True 1
Fn
Get Time type = Ticks, time = 34351 True 1
Fn
Get Info type = Operating System True 3
Fn
Get Info type = Operating System False 2
Fn
Get Info type = Hardware Information True 1
Fn
Mutex (1)
+
Operation Additional Information Success Count Logfile
Create True 1
Fn
Environment (1)
+
Operation Additional Information Success Count Logfile
Get Environment String True 1
Fn
Data
Process #10: igfxonux.scr
(Host: 49, Network: 0)
+
Information Value
ID #10
File Name c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr" /S
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:27, Reason: Child Process
Unmonitor End Time: 00:05:21, Reason: Terminated by Timeout
Monitor Duration 00:02:54
OS Process Information
+
Information Value
PID 0x338
Parent PID 0x53c (c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr)
Is Created or Modified Executable True
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups
  • XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000e25d (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 614
0x 610
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x0002ffff Private Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x0003dfff Private Memory Readable, Writable, Executable True False False
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000000050000 0x00050000 0x0008ffff Private Memory Readable, Writable True False False
private_0x0000000000090000 0x00090000 0x0018ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000190000 0x00190000 0x00193fff Pagefile Backed Memory Readable True False False
locale.nls 0x001a0000 0x00206fff Memory Mapped File Readable False False False
private_0x0000000000210000 0x00210000 0x0036ffff Private Memory Readable, Writable True False False
private_0x0000000000210000 0x00210000 0x0024ffff Private Memory Readable, Writable True False False
private_0x0000000000250000 0x00250000 0x0034ffff Private Memory Readable, Writable True False False
private_0x0000000000350000 0x00350000 0x0035dfff Private Memory Readable, Writable, Executable True False False
private_0x0000000000360000 0x00360000 0x0036ffff Private Memory Readable, Writable True False False
private_0x0000000000370000 0x00370000 0x00370fff Private Memory Readable, Writable True False False
private_0x0000000000380000 0x00380000 0x003fffff Private Memory Readable, Writable True False False
private_0x0000000000400000 0x00400000 0x00423fff Private Memory Readable, Writable, Executable True False False
private_0x0000000000430000 0x00430000 0x005b0fff Private Memory Readable, Writable True False False
pagefile_0x0000000000430000 0x00430000 0x00453fff Pagefile Backed Memory Readable, Writable, Executable True False False
pagefile_0x0000000000460000 0x00460000 0x004e8fff Pagefile Backed Memory Readable, Writable, Executable True False False
imm32.dll 0x004f0000 0x0050dfff Memory Mapped File Readable False False False
private_0x00000000004f0000 0x004f0000 0x004f0fff Private Memory Readable, Writable True False False
pagefile_0x0000000000500000 0x00500000 0x00523fff Pagefile Backed Memory Readable, Writable, Executable True False False
pagefile_0x0000000000530000 0x00530000 0x00547fff Pagefile Backed Memory Readable, Writable, Executable True False False
private_0x0000000000610000 0x00610000 0x0070ffff Private Memory Readable, Writable True False False
private_0x0000000000710000 0x00710000 0x00a12fff Private Memory Readable, Writable, Executable True False False
pagefile_0x0000000000a20000 0x00a20000 0x00ba7fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000bb0000 0x00bb0000 0x00d30fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000d40000 0x00d40000 0x0213ffff Pagefile Backed Memory Readable True False False
wow64cpu.dll 0x73a00000 0x73a07fff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x73a10000 0x73a6bfff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x73a70000 0x73aaefff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x74fe0000 0x74febfff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x74ff0000 0x7504ffff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x76160000 0x7622bfff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x76260000 0x762fffff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x76300000 0x7638ffff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x764d0000 0x7652ffff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76720000 0x7682ffff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x768f0000 0x769dffff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x76ca0000 0x76d4bfff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x76d50000 0x76d59fff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x76e10000 0x76e55fff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x76e70000 0x76e88fff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x76f90000 0x7708ffff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000077090000 0x77090000 0x771aefff Private Memory Readable, Writable, Executable True False False
private_0x00000000771b0000 0x771b0000 0x772a9fff Private Memory Readable, Writable, Executable True False False
ntdll.dll 0x772b0000 0x77458fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77490000 0x7760ffff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Modify Memory #9: c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr 0x540 address = 0x400000, size = 512 True 1
Fn
Data
Modify Memory #9: c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr 0x540 address = 0x400000, size = 1 True 1
Fn
Data
Modify Memory #9: c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr 0x540 address = 0x401000, size = 141824 True 1
Fn
Data
Modify Memory #9: c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr 0x540 address = 0x7efde008, size = 4 True 1
Fn
Data
Modify Control Flow #9: c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr 0x540 os_tid = 0x614, address = 0x774a01c4 True 1
Fn
Host Behavior
File (10)
+
Operation Filename Additional Information Success Count Logfile
Create \??\C:\Windows\SysWOW64\ntdll.dll desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 2
Fn
Create \??\C:\Windows\SysWOW64\ntdll.dll desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create \??\C:\Windows\SysWOW64\cmstp.exe desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Get Info \??\C:\Windows\SysWOW64\ntdll.dll type = extended True 2
Fn
Get Info \??\C:\Windows\SysWOW64\ntdll.dll type = extended True 1
Fn
Get Info \??\C:\Windows\SysWOW64\cmstp.exe type = extended True 1
Fn
Read \??\C:\Windows\SysWOW64\ntdll.dll offset = 0, size = 1292096 True 1
Fn
Read \??\C:\Windows\SysWOW64\cmstp.exe offset = 0, size = 84992 True 1
Fn
Data
Process (6)
+
Operation Process Additional Information Success Count Logfile
Get Info c:\windows\explorer.exe type = PROCESS_WOW64_INFORMATION True 1
Fn
Get Info c:\windows\explorer.exe type = PROCESS_BASIC_INFORMATION True 1
Fn
Get Info c:\program files\windows nt\hungry sage sender.exe type = PROCESS_BASIC_INFORMATION True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION True 1
Fn
Open c:\program files\windows nt\hungry sage sender.exe desired_access = PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION True 1
Fn
Thread (8)
+
Operation Process Additional Information Success Count Logfile
Open c:\windows\explorer.exe os_tid = 0x358 True 1
Fn
Open c:\windows\syswow64\cmstp.exe os_tid = 0x668 True 1
Fn
Suspend c:\windows\explorer.exe os_tid = 0x358 True 1
Fn
Get Context c:\windows\explorer.exe os_tid = 0x358 True 1
Fn
Queue APC c:\windows\explorer.exe os_tid = 0x358 True 1
Fn
Set Context c:\windows\explorer.exe os_tid = 0x358 True 1
Fn
Resume c:\windows\explorer.exe os_tid = 0x358 True 1
Fn
Resume c:\windows\syswow64\cmstp.exe os_tid = 0x668 True 1
Fn
Memory (4)
+
Operation Process Additional Information Success Count Logfile
Read c:\windows\explorer.exe address = 0x7fffffd4000, size = 64 True 1
Fn
Data
Read c:\windows\explorer.exe address = 0x7d99000, size = 680 True 1
Fn
Data
Read c:\program files\windows nt\hungry sage sender.exe address = 0x7efde008, size = 4 True 1
Fn
Data
Read c:\program files\windows nt\hungry sage sender.exe address = 0x630000, size = 98304 True 1
Fn
Data
Module (13)
+
Operation Module Additional Information Success Count Logfile
Load advapi32.dll base_address = 0x0 True 1
Fn
Load user32.dll base_address = 0x0 True 1
Fn
Create Mapping protection = PAGE_EXECUTE_READWRITE, maximum_size = 1633256 True 1
Fn
Create Mapping protection = PAGE_EXECUTE_READWRITE, maximum_size = 1631500 True 1
Fn
Create Mapping protection = PAGE_EXECUTE_READWRITE, maximum_size = 1633256 True 1
Fn
Create Mapping protection = PAGE_EXECUTE_READWRITE, maximum_size = 1633272 True 1
Fn
Map process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr, protection = PAGE_EXECUTE_READWRITE, address_out = 0x430000 True 1
Fn
Map process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr, protection = PAGE_EXECUTE_READWRITE, address_out = 0x460000 True 1
Fn
Map process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x7d50000 True 1
Fn
Map process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr, protection = PAGE_EXECUTE_READWRITE, address_out = 0x500000 True 1
Fn
Map process_name = c:\program files\windows nt\hungry sage sender.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x70000 True 1
Fn
Map process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr, protection = PAGE_EXECUTE_READWRITE, address_out = 0x530000 True 1
Fn
Map process_name = c:\program files\windows nt\hungry sage sender.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x630000 True 1
Fn
System (3)
+
Operation Additional Information Success Count Logfile
Sleep duration = 1630732 milliseconds (1630.732 seconds) True 1
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 2
Fn
Environment (1)
+
Operation Additional Information Success Count Logfile
Set Environment String name = L53886-W, value = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr, environment = 0 True 1
Fn
Debug (1)
+
Operation Process Additional Information Success Count Logfile
Check for Presence c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr True 1
Fn
Process #11: explorer.exe
(Host: 4, Network: 0)
+
Information Value
ID #11
File Name c:\windows\explorer.exe
Command Line C:\Windows\Explorer.EXE
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:27, Reason: Injection
Unmonitor End Time: 00:05:21, Reason: Terminated by Timeout
Monitor Duration 00:02:54
OS Process Information
+
Information Value
PID 0x34c
Parent PID 0x2b0 (c:\windows\system32\userinit.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups
  • XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000e25d (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 5E0
0x 748
0x 72C
0x 724
0x 720
0x 718
0x 710
0x 700
0x 6E0
0x 6BC
0x 6B4
0x 5F8
0x 5D8
0x 5C0
0x 5B4
0x 5AC
0x 5A8
0x 564
0x 560
0x 530
0x 52C
0x 528
0x 524
0x 520
0x 514
0x 498
0x 494
0x 490
0x 3B8
0x 138
0x 174
0x F0
0x 144
0x 158
0x 384
0x 358
0x 768
0x 710
0x 780
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000020000 0x00020000 0x00021fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000030000 0x00030000 0x00033fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000040000 0x00040000 0x00041fff Pagefile Backed Memory Readable True False False
locale.nls 0x00050000 0x000b6fff Memory Mapped File Readable False False False
pagefile_0x00000000000c0000 0x000c0000 0x000c6fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000000d0000 0x000d0000 0x000d1fff Pagefile Backed Memory Readable, Writable True False False
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory Readable, Writable True False False
private_0x00000000000f0000 0x000f0000 0x000f0fff Private Memory Readable, Writable True False False
private_0x0000000000100000 0x00100000 0x0013ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000140000 0x00140000 0x00140fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000150000 0x00150000 0x00151fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000160000 0x00160000 0x00160fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000170000 0x00170000 0x00171fff Pagefile Backed Memory Readable True False False
private_0x0000000000180000 0x00180000 0x00180fff Private Memory Readable, Writable True False False
private_0x0000000000190000 0x00190000 0x0020ffff Private Memory Readable, Writable True False False
private_0x0000000000210000 0x00210000 0x00227fff Private Memory Readable, Writable True False False
private_0x0000000000230000 0x00230000 0x0024bfff Private Memory Readable, Writable True False False
pagefile_0x0000000000250000 0x00250000 0x00250fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000260000 0x00260000 0x00262fff Pagefile Backed Memory Readable True False False
private_0x0000000000270000 0x00270000 0x0036ffff Private Memory Readable, Writable True False False
private_0x0000000000370000 0x00370000 0x0046ffff Private Memory Readable, Writable True False False
private_0x0000000000470000 0x00470000 0x00474fff Private Memory Readable, Writable True False False
private_0x0000000000480000 0x00480000 0x004dffff Private Memory Readable, Writable True False False
private_0x00000000004e0000 0x004e0000 0x004effff Private Memory Readable, Writable True False False
pagefile_0x00000000004f0000 0x004f0000 0x00677fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000680000 0x00680000 0x00800fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000810000 0x00810000 0x01c0ffff Pagefile Backed Memory Readable True False False
pagefile_0x0000000001c10000 0x01c10000 0x02002fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000002010000 0x02010000 0x020eefff Pagefile Backed Memory Readable True False False
private_0x00000000020f0000 0x020f0000 0x0215bfff Private Memory Readable, Writable True False False
private_0x0000000002160000 0x02160000 0x0218ffff Private Memory Readable, Writable True False False
private_0x0000000002190000 0x02190000 0x0219ffff Private Memory Readable, Writable True False False
private_0x00000000021a0000 0x021a0000 0x021affff Private Memory Readable, Writable True False False
private_0x00000000021b0000 0x021b0000 0x0222ffff Private Memory Readable, Writable True False False
private_0x0000000002230000 0x02230000 0x02230fff Private Memory Readable, Writable True False False
private_0x0000000002240000 0x02240000 0x022bffff Private Memory Readable, Writable True False False
sortdefault.nls 0x022c0000 0x0258efff Memory Mapped File Readable False False False
pagefile_0x0000000002590000 0x02590000 0x02591fff Pagefile Backed Memory Readable True False False
pagefile_0x00000000025a0000 0x025a0000 0x025a1fff Pagefile Backed Memory Readable True False False
comctl32.dll.mui 0x025b0000 0x025b2fff Memory Mapped File Readable, Writable False False False
private_0x00000000025c0000 0x025c0000 0x025c0fff Private Memory Readable, Writable True False False
private_0x00000000025d0000 0x025d0000 0x025ebfff Private Memory Readable, Writable True False False
private_0x00000000025f0000 0x025f0000 0x025f0fff Private Memory Readable, Writable True False False
private_0x0000000002600000 0x02600000 0x02608fff Private Memory Readable, Writable True False False
private_0x0000000002610000 0x02610000 0x02617fff Private Memory Readable, Writable True False False
{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000011.db 0x02620000 0x0263afff Memory Mapped File Readable True False False
pagefile_0x0000000002640000 0x02640000 0x02640fff Pagefile Backed Memory Readable, Writable True False False
cversions.2.db 0x02650000 0x02653fff Memory Mapped File Readable True False False
{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db 0x02660000 0x0268ffff Memory Mapped File Readable True False False
private_0x0000000002690000 0x02690000 0x0269ffff Private Memory True False False
private_0x00000000026a0000 0x026a0000 0x026affff Private Memory Readable, Writable True False False
private_0x00000000026b0000 0x026b0000 0x026bffff Private Memory Readable, Writable True False False
private_0x00000000026c0000 0x026c0000 0x026cffff Private Memory Readable, Writable True False False
private_0x00000000026d0000 0x026d0000 0x026dffff Private Memory Readable, Writable True False False
private_0x00000000026e0000 0x026e0000 0x026effff Private Memory Readable, Writable True False False
private_0x00000000026f0000 0x026f0000 0x026fffff Private Memory Readable, Writable True False False
private_0x0000000002700000 0x02700000 0x0270ffff Private Memory Readable, Writable True False False
private_0x0000000002710000 0x02710000 0x0271ffff Private Memory Readable, Writable True False False
private_0x0000000002720000 0x02720000 0x0272ffff Private Memory Readable, Writable True False False
pagefile_0x0000000002730000 0x02730000 0x02731fff Pagefile Backed Memory Readable True False False
private_0x0000000002740000 0x02740000 0x02740fff Private Memory Readable, Writable True False False
private_0x0000000002750000 0x02750000 0x02750fff Private Memory Readable, Writable True False False
private_0x0000000002760000 0x02760000 0x0276ffff Private Memory Readable, Writable True False False
private_0x0000000002770000 0x02770000 0x0286ffff Private Memory Readable, Writable True False False
private_0x0000000002870000 0x02870000 0x0296ffff Private Memory Readable, Writable True False False
cversions.2.db 0x02970000 0x02973fff Memory Mapped File Readable True False False
pagefile_0x0000000002980000 0x02980000 0x02981fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000002990000 0x02990000 0x02991fff Pagefile Backed Memory Readable True False False
private_0x00000000029a0000 0x029a0000 0x029a3fff Private Memory Readable, Writable True False False
pagefile_0x00000000029b0000 0x029b0000 0x029b1fff Pagefile Backed Memory Readable True False False
oleaccrc.dll 0x029c0000 0x029c0fff Memory Mapped File Readable False False False
pagefile_0x00000000029d0000 0x029d0000 0x029d1fff Pagefile Backed Memory Readable True False False
bthprops.cpl.mui 0x029e0000 0x029e6fff Memory Mapped File Readable, Writable False False False
private_0x00000000029f0000 0x029f0000 0x029f3fff Private Memory Readable, Writable True False False
private_0x0000000002a00000 0x02a00000 0x02a00fff Private Memory Readable, Writable True False False
private_0x0000000002a10000 0x02a10000 0x02a10fff Private Memory Readable, Writable True False False
private_0x0000000002a20000 0x02a20000 0x02a20fff Private Memory Readable, Writable True False False
private_0x0000000002a30000 0x02a30000 0x02b2ffff Private Memory Readable, Writable True False False
private_0x0000000002b30000 0x02b30000 0x02c2ffff Private Memory Readable, Writable True False False
private_0x0000000002c30000 0x02c30000 0x02e2ffff Private Memory Readable, Writable True False False
pagefile_0x0000000002e30000 0x02e30000 0x03172fff Pagefile Backed Memory Readable True False False
private_0x0000000003180000 0x03180000 0x03183fff Private Memory Readable, Writable True False False
private_0x0000000003190000 0x03190000 0x03190fff Private Memory Readable, Writable True False False
private_0x00000000031a0000 0x031a0000 0x031a0fff Private Memory Readable, Writable True False False
private_0x00000000031b0000 0x031b0000 0x031b0fff Private Memory Readable, Writable True False False
private_0x00000000031c0000 0x031c0000 0x031c0fff Private Memory Readable, Writable True False False
private_0x00000000031d0000 0x031d0000 0x031d0fff Private Memory Readable, Writable True False False
private_0x00000000031e0000 0x031e0000 0x0325ffff Private Memory Readable, Writable True False False
{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db 0x03260000 0x032c5fff Memory Mapped File Readable True False False
private_0x00000000032d0000 0x032d0000 0x032d0fff Private Memory Readable, Writable True False False
private_0x00000000032e0000 0x032e0000 0x0335ffff Private Memory Readable, Writable True False False
private_0x0000000003360000 0x03360000 0x03360fff Private Memory Readable, Writable True False False
private_0x0000000003370000 0x03370000 0x03370fff Private Memory Readable, Writable True False False
private_0x0000000003380000 0x03380000 0x03380fff Private Memory Readable, Writable True False False
private_0x0000000003390000 0x03390000 0x0340ffff Private Memory Readable, Writable True False False
private_0x0000000003410000 0x03410000 0x0348ffff Private Memory Readable, Writable True False False
pagefile_0x0000000003490000 0x03490000 0x03490fff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x00000000034a0000 0x034a0000 0x034a1fff Pagefile Backed Memory Readable True False False
cversions.2.db 0x034b0000 0x034b3fff Memory Mapped File Readable True False False
pagefile_0x00000000034c0000 0x034c0000 0x034c1fff Pagefile Backed Memory Readable True False False
{40fc8d7d-05ed-4feb-b03b-6c100659ef5c}.2.ver0x0000000000000001.db 0x034d0000 0x034d0fff Memory Mapped File Readable True False False
cversions.2.db 0x034e0000 0x034e3fff Memory Mapped File Readable True False False
private_0x00000000034f0000 0x034f0000 0x034f0fff Private Memory Readable, Writable True False False
private_0x0000000003500000 0x03500000 0x03500fff Private Memory Readable, Writable True False False
private_0x0000000003510000 0x03510000 0x03510fff Private Memory Readable, Writable True False False
private_0x0000000003520000 0x03520000 0x0359ffff Private Memory Readable, Writable True False False
private_0x00000000035a0000 0x035a0000 0x0361ffff Private Memory Readable, Writable True False False
private_0x0000000003630000 0x03630000 0x036affff Private Memory Readable, Writable True False False
private_0x00000000036e0000 0x036e0000 0x03727fff Private Memory Readable, Writable True False False
private_0x0000000003750000 0x03750000 0x03750fff Private Memory Readable, Writable True False False
thumbcache_1024.db 0x03770000 0x03770fff Memory Mapped File Readable, Writable True False False
{3978ea0a-1c7e-4449-8ae1-e1265f039002}.2.ver0x0000000000000003.db 0x03780000 0x03780fff Memory Mapped File Readable True False False
private_0x0000000003790000 0x03790000 0x0380ffff Private Memory Readable, Writable True False False
staticcache.dat 0x03810000 0x0413ffff Memory Mapped File Readable False False False
cversions.2.db 0x04140000 0x04143fff Memory Mapped File Readable True False False
{4e36ea69-73d1-4458-9d16-50f8e31a69a0}.2.ver0x0000000000000001.db 0x04150000 0x04150fff Memory Mapped File Readable True False False
private_0x0000000004160000 0x04160000 0x041affff Private Memory Readable, Writable True False False
thumbcache_sr.db 0x04200000 0x04200fff Memory Mapped File Readable, Writable True False False
private_0x0000000004210000 0x04210000 0x0428ffff Private Memory Readable, Writable True False False
thumbcache_idx.db 0x04290000 0x04290fff Memory Mapped File Readable, Writable True False False
pagefile_0x00000000042a0000 0x042a0000 0x042a0fff Pagefile Backed Memory Readable, Writable True False False
thumbcache_1024.db 0x042b0000 0x042b0fff Memory Mapped File Readable, Writable True False False
thumbcache_sr.db 0x042c0000 0x042c0fff Memory Mapped File Readable, Writable True False False
private_0x00000000042d0000 0x042d0000 0x0434ffff Private Memory Readable, Writable True False False
pagefile_0x0000000004350000 0x04350000 0x04350fff Pagefile Backed Memory Readable True False False
wdmaud.drv.mui 0x04360000 0x04360fff Memory Mapped File Readable, Writable False False False
mmdevapi.dll.mui 0x04370000 0x04370fff Memory Mapped File Readable, Writable False False False
private_0x0000000004380000 0x04380000 0x04381fff Private Memory Readable, Writable True False False
private_0x0000000004390000 0x04390000 0x0440ffff Private Memory Readable, Writable True False False
private_0x0000000004410000 0x04410000 0x04442fff Private Memory Readable, Writable True False False
pagefile_0x0000000004450000 0x04450000 0x04451fff Pagefile Backed Memory Readable True False False
thumbcache_idx.db 0x04460000 0x04460fff Memory Mapped File Readable, Writable True False False
private_0x0000000004470000 0x04470000 0x044effff Private Memory Readable, Writable True False False
pagefile_0x00000000044f0000 0x044f0000 0x044f0fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000004500000 0x04500000 0x04501fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000004510000 0x04510000 0x04511fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000004520000 0x04520000 0x04521fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000004530000 0x04530000 0x04531fff Pagefile Backed Memory Readable True False False
cversions.2.db 0x04540000 0x04543fff Memory Mapped File Readable True False False
private_0x0000000004550000 0x04550000 0x045cffff Private Memory Readable, Writable True False False
pagefile_0x00000000045d0000 0x045d0000 0x045d1fff Pagefile Backed Memory Readable True False False
private_0x00000000045e0000 0x045e0000 0x045e0fff Private Memory Readable, Writable, Executable True False False
thumbcache_1024.db 0x045f0000 0x045f0fff Memory Mapped File Readable, Writable True False False
thumbcache_sr.db 0x04600000 0x04600fff Memory Mapped File Readable, Writable True False False
thumbcache_idx.db 0x04610000 0x04610fff Memory Mapped File Readable, Writable True False False
pagefile_0x0000000004620000 0x04620000 0x04621fff Pagefile Backed Memory Readable True False False
private_0x0000000004630000 0x04630000 0x046affff Private Memory Readable, Writable True False False
private_0x00000000046b0000 0x046b0000 0x046b0fff Private Memory Readable, Writable True False False
msctf.dll.mui 0x046c0000 0x046c0fff Memory Mapped File Readable, Writable False False False
For performance reasons, the remaining 254 entries are omitted.
The remaining entries can be found in flog.txt.
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Modify Memory #10: c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr 0x614 address = 0x7d50000, size = 561152 True 1
Fn
Modify Control Flow #10: c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr 0x614 os_tid = 0x358, address = 0xfe91c010 True 1
Fn
Modify Control Flow #10: c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr 0x614 os_tid = 0x358, address = 0x7d66ead True 1
Fn
Modify Memory #13: c:\windows\syswow64\cmstp.exe 0x668 address = 0x95c0000, size = 5120000 True 1
Fn
Modify Memory #13: c:\windows\syswow64\cmstp.exe 0x668 address = 0x8220000, size = 479232 True 1
Fn
Modify Control Flow #13: c:\windows\syswow64\cmstp.exe 0x668 os_tid = 0x358, address = 0x0 True 1
Fn
Modify Control Flow #13: c:\windows\syswow64\cmstp.exe 0x668 os_tid = 0x358, address = 0x8239e96 True 1
Fn
Host Behavior
Process (3)
+
Operation Process Additional Information Success Count Logfile
Create C:\Windows\SysWOW64\rdpclip.exe os_pid = 0x0, creation_flags = CREATE_SUSPENDED, CREATE_DETACHED_PROCESS, CREATE_NO_WINDOW, show_window = SW_HIDE False 1
Fn
Create C:\Windows\SysWOW64\autochk.exe os_pid = 0x0, creation_flags = CREATE_SUSPENDED, CREATE_DETACHED_PROCESS, CREATE_NO_WINDOW, show_window = SW_HIDE False 1
Fn
Create C:\Windows\SysWOW64\cmstp.exe os_pid = 0x634, creation_flags = CREATE_SUSPENDED, CREATE_DETACHED_PROCESS, CREATE_NO_WINDOW, show_window = SW_HIDE True 1
Fn
Mutex (1)
+
Operation Additional Information Success Count Logfile
Create mutex_name = S-1-5-21-3388679-8441793209033 True 1
Fn
Process #12: autochk.exe'
+
Information Value
ID #12
File Name c:\windows\syswow64\autochk.exe
Command Line "C:\Windows\SysWOW64\autochk.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:31, Reason: Child Process
Unmonitor End Time: 00:05:21, Reason: Terminated by Timeout
Monitor Duration 00:02:50
Remarks No high level activity detected in monitored regions
OS Process Information
+
Information Value
PID 0x624
Parent PID 0x34c (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups
  • XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000e25d (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 628
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
private_0x00000000000d0000 0x000d0000 0x0010ffff Private Memory Readable, Writable True False False
private_0x00000000001a0000 0x001a0000 0x001dffff Private Memory Readable, Writable True False False
autochk.exe 0x00ba0000 0x00c45fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x772b0000 0x77458fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77490000 0x7760ffff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False
Process #13: cmstp.exe
(Host: 227, Network: 0)
+
Information Value
ID #13
File Name c:\windows\syswow64\cmstp.exe
Command Line "C:\Windows\SysWOW64\cmstp.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:31, Reason: Child Process
Unmonitor End Time: 00:05:21, Reason: Terminated by Timeout
Monitor Duration 00:02:50
OS Process Information
+
Information Value
PID 0x634
Parent PID 0x34c (c:\windows\explorer.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups
  • XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000e25d (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 668
0x 6D0
0x 6E4
0x 46C
0x 63C
0x 5C8
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
pagefile_0x0000000000020000 0x00020000 0x00026fff Pagefile Backed Memory Readable True False False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False
pagefile_0x0000000000030000 0x00030000 0x00031fff Pagefile Backed Memory Readable, Writable True False False
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000060000 0x00060000 0x00060fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000070000 0x00070000 0x00093fff Pagefile Backed Memory Readable, Writable, Executable True False False
cmstp.exe.mui 0x000a0000 0x000a4fff Memory Mapped File Readable, Writable False False False
private_0x00000000000b0000 0x000b0000 0x000b0fff Private Memory Readable, Writable True False False
private_0x00000000000c0000 0x000c0000 0x000c0fff Private Memory Readable, Writable True False False
private_0x00000000000d0000 0x000d0000 0x000dffff Private Memory Readable, Writable True False False
private_0x00000000000e0000 0x000e0000 0x000e0fff Private Memory Readable, Writable True False False
private_0x00000000000f0000 0x000f0000 0x0012ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000130000 0x00130000 0x00153fff Pagefile Backed Memory Readable, Writable, Executable True False False
private_0x0000000000160000 0x00160000 0x00160fff Private Memory Readable, Writable True False False
private_0x0000000000170000 0x00170000 0x00170fff Private Memory Readable, Writable True False False
private_0x0000000000180000 0x00180000 0x001bffff Private Memory Readable, Writable True False False
locale.nls 0x001c0000 0x00226fff Memory Mapped File Readable False False False
private_0x0000000000230000 0x00230000 0x00253fff Private Memory Readable, Writable True False False
private_0x0000000000260000 0x00260000 0x002c4fff Private Memory Readable, Writable, Executable True False False
private_0x00000000002e0000 0x002e0000 0x0035ffff Private Memory Readable, Writable True False False
private_0x0000000000380000 0x00380000 0x003bffff Private Memory Readable, Writable True False False
private_0x00000000003c0000 0x003c0000 0x00424fff Private Memory Readable, Writable, Executable True False False
private_0x0000000000440000 0x00440000 0x0047ffff Private Memory Readable, Writable True False False
private_0x0000000000480000 0x00480000 0x0057ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000580000 0x00580000 0x005f4fff Pagefile Backed Memory Readable, Writable, Executable True False False
pagefile_0x0000000000580000 0x00580000 0x00600fff Pagefile Backed Memory Readable, Writable, Executable True False False
pagefile_0x0000000000580000 0x00580000 0x005c3fff Pagefile Backed Memory Readable, Writable, Executable True False False
private_0x00000000005a0000 0x005a0000 0x005dffff Private Memory Readable, Writable True False False
private_0x00000000005c0000 0x005c0000 0x005fffff Private Memory Readable, Writable True False False
cmstp.exe 0x00630000 0x00647fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000000630000 0x00630000 0x00647fff Pagefile Backed Memory Readable, Writable, Executable True False False
pagefile_0x0000000000650000 0x00650000 0x007d7fff Pagefile Backed Memory Readable True False False
private_0x00000000007e0000 0x007e0000 0x007effff Private Memory Readable, Writable True False False
pagefile_0x00000000007f0000 0x007f0000 0x00970fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000980000 0x00980000 0x01d7ffff Pagefile Backed Memory Readable True False False
private_0x0000000001d80000 0x01d80000 0x01e7afff Private Memory Readable, Writable True False False
private_0x0000000001e80000 0x01e80000 0x01f4ffff Private Memory Readable, Writable True False False
private_0x0000000001eb0000 0x01eb0000 0x01eeffff Private Memory Readable, Writable True False False
private_0x0000000001ec0000 0x01ec0000 0x02040fff Private Memory Readable, Writable True False False
private_0x0000000001f10000 0x01f10000 0x01f4ffff Private Memory Readable, Writable True False False
pagefile_0x0000000001f50000 0x01f50000 0x0202efff Pagefile Backed Memory Readable True False False
private_0x0000000002050000 0x02050000 0x02352fff Private Memory Readable, Writable, Executable True False False
pagefile_0x0000000002360000 0x02360000 0x02841fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000002850000 0x02850000 0x0296ffff Private Memory Readable, Writable True False False
private_0x0000000002850000 0x02850000 0x0294ffff Private Memory Readable, Writable True False False
private_0x0000000002880000 0x02880000 0x028bffff Private Memory Readable, Writable True False False
private_0x0000000002930000 0x02930000 0x0296ffff Private Memory Readable, Writable True False False
private_0x0000000002960000 0x02960000 0x0296ffff Private Memory Readable, Writable True False False
sortdefault.nls 0x02970000 0x02c3efff Memory Mapped File Readable False False False
private_0x0000000002c60000 0x02c60000 0x02c9ffff Private Memory Readable, Writable True False False
private_0x0000000002cc0000 0x02cc0000 0x02cfffff Private Memory Readable, Writable True False False
private_0x0000000002cd0000 0x02cd0000 0x02d0ffff Private Memory Readable, Writable True False False
private_0x0000000002d00000 0x02d00000 0x031f1fff Private Memory Readable, Writable True False False
uxtheme.dll 0x737e0000 0x7385ffff Memory Mapped File Readable, Writable, Executable False False False
wow64cpu.dll 0x73a00000 0x73a07fff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x73a10000 0x73a6bfff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x73a70000 0x73aaefff Memory Mapped File Readable, Writable, Executable False False False
windowscodecs.dll 0x74bc0000 0x74cbafff Memory Mapped File Readable, Writable, Executable False False False
msvcr100.dll 0x74bd0000 0x74c8efff Memory Mapped File Readable, Writable, Executable False False False
nss3.dll 0x74c90000 0x74e44fff Memory Mapped File Readable, Writable, Executable False False False
gdiplus.dll 0x74cc0000 0x74e4ffff Memory Mapped File Readable, Writable, Executable False False False
wsock32.dll 0x74e60000 0x74e66fff Memory Mapped File Readable, Writable, Executable False False False
winmm.dll 0x74f70000 0x74fa1fff Memory Mapped File Readable, Writable, Executable False False False
vaultcli.dll 0x74fa0000 0x74fabfff Memory Mapped File Readable, Writable, Executable False False False
version.dll 0x74fb0000 0x74fb8fff Memory Mapped File Readable, Writable, Executable False False False
cmutil.dll 0x74fc0000 0x74fcdfff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x74fe0000 0x74febfff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x74ff0000 0x7504ffff Memory Mapped File Readable, Writable, Executable False False False
shell32.dll 0x75080000 0x75cc9fff Memory Mapped File Readable, Writable, Executable False False False
shlwapi.dll 0x75cd0000 0x75d26fff Memory Mapped File Readable, Writable, Executable False False False
oleaut32.dll 0x760d0000 0x7615efff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x76160000 0x7622bfff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x76260000 0x762fffff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x76300000 0x7638ffff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x764d0000 0x7652ffff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76720000 0x7682ffff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x768c0000 0x768c5fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x768f0000 0x769dffff Memory Mapped File Readable, Writable, Executable False False False
ole32.dll 0x76b00000 0x76c5bfff Memory Mapped File Readable, Writable, Executable False False False
ws2_32.dll 0x76c60000 0x76c94fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x76ca0000 0x76d4bfff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x76d50000 0x76d59fff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x76e10000 0x76e55fff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x76e70000 0x76e88fff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x76f90000 0x7708ffff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000077090000 0x77090000 0x771aefff Private Memory Readable, Writable, Executable True False False
private_0x00000000771b0000 0x771b0000 0x772a9fff Private Memory Readable, Writable, Executable True False False
ntdll.dll 0x772b0000 0x77458fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77490000 0x7760ffff Memory Mapped File Readable, Writable, Executable False False False
private_0x000000007efaa000 0x7efaa000 0x7efacfff Private Memory Readable, Writable True False False
private_0x000000007efad000 0x7efad000 0x7efaffff Private Memory Readable, Writable True False False
pagefile_0x000000007efb0000 0x7efb0000 0x7efd2fff Pagefile Backed Memory Readable True False False
private_0x000000007efd5000 0x7efd5000 0x7efd7fff Private Memory Readable, Writable True False False
private_0x000000007efd8000 0x7efd8000 0x7efdafff Private Memory Readable, Writable True False False
private_0x000000007efdb000 0x7efdb000 0x7efddfff Private Memory Readable, Writable True False False
private_0x000000007efde000 0x7efde000 0x7efdefff Private Memory Readable, Writable True False False
private_0x000000007efdf000 0x7efdf000 0x7efdffff Private Memory Readable, Writable True False False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
private_0x000000007fff0000 0x7fff0000 0x7fffffeffff Private Memory Readable True False False
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Modify Memory #10: c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr 0x614 address = 0x70000, size = 147456 True 1
Fn
Modify Memory #10: c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\igfxonux.scr 0x614 address = 0x630000, size = 98304 True 1
Fn
Host Behavior
File (38)
+
Operation Filename Additional Information Success Count Logfile
Create \??\C:\Windows\SysWOW64\ntdll.dll desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 2
Fn
Create \??\C:\Users\5p5NrGJn0jS HALPmcxz\igfxonux.scr desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
Create \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 2
Fn
Create \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ True 1
Fn
Create \??\C:\Windows\System32\drivers\etc\hosts desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 2
Fn
Create \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV desired_access = FILE_READ_DATA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-log.ini desired_access = FILE_READ_DATA, FILE_WRITE_DATA, FILE_APPEND_DATA, FILE_READ_EA, FILE_WRITE_EA, FILE_READ_ATTRIBUTES, FILE_WRITE_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 2
Fn
Create \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logri.ini desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create \??\C:\Program Files (x86)\Mozilla Firefox\Firefox.exe desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\Chrome\User Data\Default\Login Data desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Opera Software\Opera Stable\Login Data desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE False 1
Fn
Create \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrv.ini desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Create \??\C:\Program Files (x86)\Mozilla Firefox\Firefox.exe desired_access = FILE_READ_DATA, FILE_READ_EA, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 2
Fn
Get Info \??\C:\Windows\SysWOW64\ntdll.dll type = extended True 2
Fn
Get Info \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr type = extended True 2
Fn
Get Info \??\C:\Windows\System32\drivers\etc\hosts type = extended True 2
Fn
Get Info \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr type = extended True 2
Fn
Get Info \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrc.ini type = extended True 1
Fn
Get Info \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logri.ini type = extended True 1
Fn
Get Info \??\C:\Program Files (x86)\Mozilla Firefox\Firefox.exe type = extended True 1
Fn
Get Info \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\Chrome\User Data\Default\Login Data type = extended True 1
Fn
Get Info \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\8Q-59UAV\8Q-logrv.ini type = extended True 1
Fn
Get Info \??\C:\Program Files (x86)\Mozilla Firefox\Firefox.exe type = extended True 2
Fn
Read \??\C:\Windows\System32\drivers\etc\hosts offset = 0, size = 824 True 1
Fn
Data
Read \??\C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\igfxonux.scr offset = 0, size = 290816 True 1
Fn
Data
Read \??\C:\Program Files (x86)\Mozilla Firefox\Firefox.exe offset = 0, size = 275568 True 1
Fn
Data
Registry (75)
+
Operation Key Additional Information Success Count Logfile
Create Key HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run True 1
Fn
Create Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion True 1
Fn
Create Key HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ True 1
Fn
Create Key HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 True 1
Fn
Create Key HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\ True 1
Fn
Create Key HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\25.0 (en-US)\Main True 1
Fn
Create Key HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Thunderbird\ False 1
Fn
Create Key HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run True 18
Fn
Create Key HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run True 14
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = ProductName True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\ value_name = CurrentVersion True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\25.0 (en-US)\Main value_name = Install Directory True 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run True 1
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run True 18
Fn
Enumerate Values HKEY_USERS\S-1-5-21-3388679973-3930757225-3770151564-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run True 14
Fn
Process (7)
+
Operation Process Additional Information Success Count Logfile
Create C:\Program Files (x86)\Mozilla Firefox\Firefox.exe os_pid = 0x6dc, creation_flags = CREATE_SUSPENDED, CREATE_DETACHED_PROCESS, show_window = SW_HIDE True 1
Fn
Get Info c:\windows\explorer.exe type = PROCESS_WOW64_INFORMATION True 1
Fn
Get Info c:\windows\explorer.exe type = PROCESS_BASIC_INFORMATION True 1
Fn
Get Info C:\Program Files (x86)\Mozilla Firefox\Firefox.exe type = PROCESS_WOW64_INFORMATION True 1
Fn
Get Info C:\Program Files (x86)\Mozilla Firefox\Firefox.exe type = PROCESS_BASIC_INFORMATION True 1
Fn
Open c:\windows\explorer.exe desired_access = PROCESS_VM_OPERATION, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION True 2
Fn
Thread (7)
+
Operation Process Additional Information Success Count Logfile
Open c:\windows\explorer.exe os_tid = 0x358 True 1
Fn
Suspend c:\windows\explorer.exe os_tid = 0x358 True 1
Fn
Get Context c:\windows\explorer.exe os_tid = 0x358 True 1
Fn
Queue APC c:\windows\explorer.exe os_tid = 0x358 True 1
Fn
Set Context c:\windows\explorer.exe os_tid = 0x358 True 1
Fn
Resume c:\windows\explorer.exe os_tid = 0x358 True 1
Fn
Resume c:\windows\syswow64\cmstp.exe os_tid = 0x668 True 1
Fn
Memory (3)
+
Operation Process Additional Information Success Count Logfile
Read c:\windows\explorer.exe address = 0x7fffffd4000, size = 64 True 1
Fn
Data
Read C:\Program Files (x86)\Mozilla Firefox\Firefox.exe address = 0xfffde000, size = 32 True 1
Fn
Data
Read C:\Program Files (x86)\Mozilla Firefox\Firefox.exe address = 0x1190000, size = 278528 True 1
Fn
Data
Module (19)
+
Operation Module Additional Information Success Count Logfile
Load C:\Program Files (x86)\Mozilla Firefox\nss3.dll base_address = 0xc0000135 False 1
Fn
Load winsqlite3.dll base_address = 0xc0000135 False 1
Fn
Load vaultcli.dll base_address = 0x0 True 1
Fn
Load gdiplus.dll base_address = 0x0 True 1
Fn
Create Mapping protection = PAGE_EXECUTE_READWRITE, maximum_size = 1829296 True 1
Fn
Create Mapping protection = PAGE_READWRITE, maximum_size = 1827868 True 1
Fn
Create Mapping protection = PAGE_EXECUTE_READWRITE, maximum_size = 1825568 True 1
Fn
Create Mapping protection = PAGE_EXECUTE_READWRITE, maximum_size = 1827900 True 1
Fn
Create Mapping protection = PAGE_EXECUTE_READWRITE, maximum_size = 1827952 True 1
Fn
Map process_name = c:\windows\syswow64\cmstp.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x130000 True 1
Fn
Map process_name = c:\windows\syswow64\cmstp.exe, protection = PAGE_READWRITE, address_out = 0x2360000 True 1
Fn
Map process_name = c:\windows\explorer.exe, protection = PAGE_READWRITE, address_out = 0x95c0000 True 1
Fn
Map process_name = c:\windows\explorer.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x8220000 True 1
Fn
Map process_name = c:\windows\syswow64\cmstp.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x580000 True 1
Fn
Map process_name = C:\Program Files (x86)\Mozilla Firefox\Firefox.exe, protection = PAGE_READWRITE, address_out = 0x3e0000 True 1
Fn
Map process_name = c:\windows\syswow64\cmstp.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x580000 True 1
Fn
Map process_name = C:\Program Files (x86)\Mozilla Firefox\Firefox.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x70000 True 1
Fn
Map process_name = c:\windows\syswow64\cmstp.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x580000 True 1
Fn
Map process_name = C:\Program Files (x86)\Mozilla Firefox\Firefox.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0x1190000 True 1
Fn
System (67)
+
Operation Additional Information Success Count Logfile
Sleep duration = 1828376 milliseconds (1828.376 seconds) True 1
Fn
Sleep duration = 1829336 milliseconds (1829.336 seconds) True 32
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 34
Fn
Mutex (2)
+
Operation Additional Information Success Count Logfile
Create mutex_name = L53886-WGVVJKAFC, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Create mutex_name = 8Q-59UAVA1ZvGWMZ, desired_access = MUTEX_MODIFY_STATE, DELETE, READ_CONTROL, WRITE_DAC, WRITE_OWNER, SYNCHRONIZE True 1
Fn
Environment (2)
+
Operation Additional Information Success Count Logfile
Set Environment String name = PATH, value = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Mozilla Firefox, environment = 0 True 1
Fn
Set Environment String name = PATH, value = C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\, environment = 0 True 1
Fn
Debug (1)
+
Operation Process Additional Information Success Count Logfile
Check for Presence c:\windows\syswow64\cmstp.exe True 1
Fn
Process #14: firefox.exe
(Host: 3, Network: 0)
+
Information Value
ID #14
File Name c:\program files (x86)\mozilla firefox\firefox.exe
Command Line "C:\Program Files (x86)\Mozilla Firefox\Firefox.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:02:44, Reason: Child Process
Unmonitor End Time: 00:05:21, Reason: Terminated by Timeout
Monitor Duration 00:02:37
OS Process Information
+
Information Value
PID 0x6dc
Parent PID 0x634 (c:\windows\syswow64\cmstp.exe)
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Groups
  • XDUWTFONO\Domain Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • Everyone (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • BUILTIN\Administrators (USE_FOR_DENY_ONLY)
  • BUILTIN\Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\INTERACTIVE (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • CONSOLE LOGON (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Authenticated Users (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\This Organization (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\Logon Session 00000000:0000e25d (MANDATORY, ENABLED_BY_DEFAULT, ENABLED, LOGON_ID)
  • LOCAL (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
  • NT AUTHORITY\NTLM Authentication (MANDATORY, ENABLED_BY_DEFAULT, ENABLED)
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 6F8
Region
+
Name Start VA End VA Type Permissions Monitored Dump YARA Match Actions
private_0x0000000000010000 0x00010000 0x0002ffff Private Memory Readable, Writable True False False
pagefile_0x0000000000010000 0x00010000 0x0001ffff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000020000 0x00020000 0x00020fff Private Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00031fff Private Memory Readable, Writable True False False
private_0x0000000000030000 0x00030000 0x00030fff Private Memory Readable, Writable True False False
apisetschema.dll 0x00040000 0x00040fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000000050000 0x00050000 0x00053fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000060000 0x00060000 0x00062fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000070000 0x00070000 0x000f0fff Pagefile Backed Memory Readable, Writable, Executable True False False
locale.nls 0x00100000 0x00166fff Memory Mapped File Readable False False False
private_0x0000000000180000 0x00180000 0x001bffff Private Memory Readable, Writable True False False
private_0x00000000001d0000 0x001d0000 0x0020ffff Private Memory Readable, Writable True False False
private_0x0000000000240000 0x00240000 0x0024ffff Private Memory Readable, Writable True False False
private_0x00000000002e0000 0x002e0000 0x003dffff Private Memory Readable, Writable True False False
pagefile_0x00000000003e0000 0x003e0000 0x008c1fff Pagefile Backed Memory Readable, Writable True False False
private_0x0000000000950000 0x00950000 0x009cffff Private Memory Readable, Writable True False False
pagefile_0x00000000009d0000 0x009d0000 0x00b57fff Pagefile Backed Memory Readable True False False
pagefile_0x0000000000b60000 0x00b60000 0x00ce0fff Pagefile Backed Memory Readable True False False
private_0x0000000000cf0000 0x00cf0000 0x00deffff Private Memory Readable, Writable True False False
private_0x0000000000e50000 0x00e50000 0x00e5ffff Private Memory Readable, Writable True False False
ntdll.dll 0x00e60000 0x00fdffff Memory Mapped File Readable, Writable, Executable False False False
firefox.exe 0x01190000 0x011d3fff Memory Mapped File Readable, Writable, Executable False False False
pagefile_0x0000000001190000 0x01190000 0x011d3fff Pagefile Backed Memory Readable, Writable, Executable True False False
pagefile_0x00000000011e0000 0x011e0000 0x025dffff Pagefile Backed Memory Readable True False False
wow64cpu.dll 0x73a00000 0x73a07fff Memory Mapped File Readable, Writable, Executable False False False
wow64win.dll 0x73a10000 0x73a6bfff Memory Mapped File Readable, Writable, Executable False False False
wow64.dll 0x73a70000 0x73aaefff Memory Mapped File Readable, Writable, Executable False False False
msvcp100.dll 0x74860000 0x748c8fff Memory Mapped File Readable, Writable, Executable False False False
mozglue.dll 0x748d0000 0x748f1fff Memory Mapped File Readable, Writable, Executable False False False
winmm.dll 0x74900000 0x74931fff Memory Mapped File Readable, Writable, Executable False False False
nss3.dll 0x74940000 0x74af4fff Memory Mapped File Readable, Writable, Executable False False False
msvcr100.dll 0x74b00000 0x74bbdfff Memory Mapped File Readable, Writable, Executable False False False
wsock32.dll 0x74f90000 0x74f96fff Memory Mapped File Readable, Writable, Executable False False False
cryptbase.dll 0x74fe0000 0x74febfff Memory Mapped File Readable, Writable, Executable False False False
sspicli.dll 0x74ff0000 0x7504ffff Memory Mapped File Readable, Writable, Executable False False False
msctf.dll 0x76160000 0x7622bfff Memory Mapped File Readable, Writable, Executable False False False
advapi32.dll 0x76260000 0x762fffff Memory Mapped File Readable, Writable, Executable False False False
gdi32.dll 0x76300000 0x7638ffff Memory Mapped File Readable, Writable, Executable False False False
imm32.dll 0x764d0000 0x7652ffff Memory Mapped File Readable, Writable, Executable False False False
kernel32.dll 0x76720000 0x7682ffff Memory Mapped File Readable, Writable, Executable False False False
nsi.dll 0x768c0000 0x768c5fff Memory Mapped File Readable, Writable, Executable False False False
rpcrt4.dll 0x768f0000 0x769dffff Memory Mapped File Readable, Writable, Executable False False False
crypt32.dll 0x769e0000 0x76afcfff Memory Mapped File Readable, Writable, Executable False False False
ws2_32.dll 0x76c60000 0x76c94fff Memory Mapped File Readable, Writable, Executable False False False
msvcrt.dll 0x76ca0000 0x76d4bfff Memory Mapped File Readable, Writable, Executable False False False
lpk.dll 0x76d50000 0x76d59fff Memory Mapped File Readable, Writable, Executable False False False
usp10.dll 0x76d70000 0x76e0cfff Memory Mapped File Readable, Writable, Executable False False False
kernelbase.dll 0x76e10000 0x76e55fff Memory Mapped File Readable, Writable, Executable False False False
msasn1.dll 0x76e60000 0x76e6bfff Memory Mapped File Readable, Writable, Executable False False False
sechost.dll 0x76e70000 0x76e88fff Memory Mapped File Readable, Writable, Executable False False False
user32.dll 0x76f90000 0x7708ffff Memory Mapped File Readable, Writable, Executable False False False
private_0x0000000077090000 0x77090000 0x771aefff Private Memory Readable, Writable, Executable True False False
private_0x00000000771b0000 0x771b0000 0x772a9fff Private Memory Readable, Writable, Executable True False False
ntdll.dll 0x772b0000 0x77458fff Memory Mapped File Readable, Writable, Executable False False False
ntdll.dll 0x77490000 0x7760ffff Memory Mapped File Readable, Writable, Executable False False False
private_0x000000007efe0000 0x7efe0000 0x7ffdffff Private Memory Readable True False False
pagefile_0x000000007efe0000 0x7efe0000 0x7f0dffff Pagefile Backed Memory Readable True False False
private_0x000000007f0e0000 0x7f0e0000 0x7ffdffff Private Memory Readable True False False
private_0x000000007ffe0000 0x7ffe0000 0x7ffeffff Private Memory Readable True False False
pagefile_0x00000000fffb0000 0xfffb0000 0xfffd2fff Pagefile Backed Memory Readable True False False
private_0x00000000fffdb000 0xfffdb000 0xfffddfff Private Memory Readable, Writable True False False
private_0x00000000fffde000 0xfffde000 0xfffdefff Private Memory Readable, Writable True False False
private_0x00000000fffdf000 0xfffdf000 0xfffdffff Private Memory Readable, Writable True False False
private_0x00000000fffe0000 0xfffe0000 0x7fffffeffff Private Memory Readable True False False
Injection Information
+
Injection Type Source Process Source Os Thread ID Injection Info Success Count Logfile
Modify Memory #13: c:\windows\syswow64\cmstp.exe 0x668 address = 0x3e0000, size = 5120000 True 1
Fn
Modify Memory #13: c:\windows\syswow64\cmstp.exe 0x668 address = 0x70000, size = 528384 True 1
Fn
Modify Memory #13: c:\windows\syswow64\cmstp.exe 0x668 address = 0x1190000, size = 278528 True 1
Fn
Host Behavior
File (1)
+
Operation Filename Additional Information Success Count Logfile
Create \??\C:\Windows\SysWOW64\ntdll.dll desired_access = FILE_EXECUTE, FILE_READ_ATTRIBUTES, READ_CONTROL, SYNCHRONIZE, file_attributes = FILE_ATTRIBUTE_NORMAL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE, FILE_SHARE_DELETE True 1
Fn
Module (2)
+
Operation Module Additional Information Success Count Logfile
Create Mapping protection = PAGE_EXECUTE, maximum_size = 0 True 1
Fn
Map process_name = c:\program files (x86)\mozilla firefox\firefox.exe, protection = PAGE_EXECUTE_READWRITE, address_out = 0xe60000 False 1
Fn
Function Logfile
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefox with deactivated setting "security.fileuri.strict_origin_policy".


    
Screenshot
Expand-Icon
Exit-Icon
icon_left
icon_left
image